An Android app used by a significant chunk of the global population also has glaring security flaws that would allow a savvy hacker to steal a user’s data or even hijack the app’s operations using arbitrary code.
ShareIt, which claims to have more than 1 billion global downloads, is the product of Singapore-based developer Smart Media4U. Its primary feature is peer-to-peer file sharing, which gives users the ability to exchange photos, music, videos, gifs, etc. The app, which has been on an upward trajectory over the past several years, has garnered recognition for its swift growth and global reach.
But it also apparently has software vulnerabilities that would allow a bad actor to easily leak a user’s data or even execute arbitrary code by abusing ShareIt permissions, according to a new report from Trend Micro.
The report shows that the one of the app’s chief vulnerabilities stems from how it shares information and permissions with other apps. Indeed, due to the way Android phones are set up to share information between different programs, the platform has a history of bad actors attempting to exploit inter-app communication and leverage it toward malicious ends. Specifically, “bad apps” or programs secretly run by a bad actor may look for ways to access data on legitimate apps.
ShareIt is set up to essentially swing the doors wide open to other apps when it comes to data exchange via its content provider interface. According to researchers, these vulnerabilities could allow “any third-party entity” to “gain temporary read/write access to the [app’s] content provider’s data.” This would essentially allow for a hijacking of the app to run “custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge,” ZDNet notes.
Trend Micro researchers discovered this vulnerability by doing it themselves. By manipulating how apps in the Android ecosystem talk to each other, they found that the ShareIt app would share way too much information, revealing a user’s “arbitrary activities, including ShareIt’s internal (non-public) and external app activities.” In various ways, these security flaws could ultimately be “abused to leak a user’s sensitive data and execute arbitrary code with ShareIt permissions,” researchers write.
Probably the worst thing in the whole report is the fact that Trend Micro says it shared these security issues with Smart Media4U about three months ago and that the company apparently did nothing. The report concludes:
We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack, because the attacker can steal sensitive data and do anything with the apps’ permission.
This is also not the first time that ShareIt has been flagged as a security risk. The app was actually…
Read More News: The File-Sharing Android App ShareIt Has Deep Security Flaws