Multiple unpatched vulnerabilities have been discovered in SHAREit, a popular app with over one billion downloads, that could be abused to leak a user’s sensitive data, execute arbitrary code, and possibly lead to remote code execution.
The findings come from cybersecurity firm Trend Micro’s analysis of the Android version of the app, which allows users to share or transfer files between devices.
But in a worrisome twist, the flaws are yet to be patched by Smart Media4U Technology Pte. Ltd., the Singapore-based developer of the app, despite responsible disclosure three months ago.
“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission,” Trend Micro researcher Echo Duan said in a write-up. “It is also not easily detectable.”
One of the flaws arises from the manner the app facilitates sharing of files (via Android’s FileProvider), potentially allowing any third-party to gain temporary read/write access permissions and exploit them to overwrite existing files in the app’s data folder.
Separately, the use of deep links to launch specific features in the app — including downloading split APK (SAPK) files from a URL that has the scheme of HTTP/HTTPS and domain host that matches *.wshareit.com or gshare.cdn.shareitgames.com — can be leveraged to install a malicious app, resulting in a possible remote code execution when a user clicks on a URL.
“When the user clicks this download URL, Chrome will call SHAREit to download the SAPK from https://gshare.cdn.shareitgames.com,” Duan explained. “Since it supports the HTTP protocol, this SAPK can be replaced by simulating a man-in-the-middle (MitM) attack.”
Lastly, the app is also susceptible to what’s called a man-in-the-disk (MitD) attack, which arises when careless use of “external storage” permissions opens the door to the installation of fraudulent apps and even causes a denial of service condition.
SHAREit has courted a fair of security shortcomings in the past. In February 2019, two vulnerabilities were detected in the app that could allow attackers to bypass authentication, download arbitrary files, and pilfer files from Android devices.
A pop-up from the fake Twitter app created to test the vulnerability |
Then on June 29, 2020, the Indian government banned SHAREit along with 58 other Chinese apps over concerns that these apps were engaging in activities that threatened “national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India.”
We have reached out to the developers of SHAREit, and we will update the story if we hear back.