Trend Micro researchers have identified a bug in the Android file sharing app SHAREit. The app has over one billion downloads on Google Play Store.
According to researchers, the app contains multiple unpatched vulnerabilities that hackers could abuse to run malicious code on devices where the app is installed and expose sensitive user data.
It is worth noting that SHAREit was one of the 59 Chinese apps that the union government in India banned temporarily and permanently.
Hackers could download and steal data
The app allows sharing and downloading of various file types, including Android Package (APK). However, the vulnerabilities associated with these features are mostly unintended flaws.
Moreover, Trend Micro researchers noted that previously identified vulnerabilities used to download and steal documents from user devices are also linked with this app.
Furthermore, researchers identified that a hacker could do anything with the app apart from stealing sensitive data. The bug only affected the app’s Android version while the iOS version is safe as it uses a different codebase.
“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable,” Trend Micro blog post read.
Data hijacking due to lack of proper restrictions
Trend Micro researcher wrote that the root cause of the app’s security flaws in Android is that it lacks appropriate restrictions needed to determine who can access the app’s code.
The malicious apps installed on a mobile device or through a person-in-the-middle attack, an attacker can send malicious commands to the SHAREit app. This could lead to the hijacking of the app’s legitimate features for running custom code, installing third-party apps, and overwrite local app files without the user’s knowledge or consent.
SHAREit vulnerable to Man-in-the-Disk attacks
The app was also identified to be vulnerable to the Man-in-the-Disk (MITD) attacks. This vulnerability was first described by the Check Point security firm in 2018. It exploited the insecure storage of sensitive app resources stored in the shared space where other apps resources are stored on the mobile phone. Hence, an attacker can easily edit, delete, or replace them.
SHAREit users at risk
SHAREit is now banned in India, but in 2019 it was one of the most downloaded apps in the country. Cybercriminals could exploit the vulnerabilities to steal sensitive files from the app. This means millions of SHAREit users in India are at data leaking risk.
The company was notified about the vulnerabilities but didn’t receive any response from the vendor. After waiting for three months, Trend Micro decided to disclose the bug and urged users to regularly patch and update mobile operating systems and apps to ensure safe mobile app use.
Nevertheless, if you are using the SHAREit app it is a good idea to delete the app until the company issues security patches for every vulnerability reported by the researchers.