An Android app used by a significant portion of the global population also has blatant security holes that would allow an experienced hacker to steal a user’s data or even hijack the app’s operations using arbitrary code.
ShareIt, who claims to have more than 1 billion global downloads, is the product of the Singapore-based developer Smart Media4U. Its main feature is point-to-point file sharing, which gives users the ability to exchange photos, music, videos, gifs, etc. The app, which has had an upward trend in recent years, got recognition for its rapid growth and global reach.
But it also apparently has software vulnerabilities that would allow a wrongdoer to easily leak a user’s data or even execute arbitrary code abusing ShareIt permissions, according to a new report from Trend Micro.
The report shows that one of the application’s main vulnerabilities stems from how it shares information and permissions with other applications. In fact, due to the way Android phones are configured to share information between different programs, the platform has one story of malefactors trying to exploit communication between applications and leverage it to malicious purposes. Specifically, “bad apps”Or programs run secretly by an evildoer can look for ways to access data in legitimate applications.
G / O Media can receive a commission
Share it is configured to essentially open the door to other applications when it comes to exchanging data through its content provider interface. According to the researchers, these vulnerabilities could allow “any third party entity” “to obtain temporary read / write access to the [app’s] content provider data. ”This would basically allow an application hijack to run” custom code, overwrite local application files or install third party applications without the user’s knowledge “, ZDNet Notes.
Trend Micro researchers discovered this vulnerability by doing this themselves. By manipulating how apps in the Android ecosystem talk to each other, they found that ShareIt app would share a lot of information, revealing a user’s “arbitrary activities, including ShareIt’s internal (non-public) and external application activities. “In many ways, these security holes can be” abused to leak a user’s confidential data and run arbitrary code with ShareIt permissions, “write the researchers.
Probably the worst thing in the entire report is the fact that Trend Micro says it shared these security issues with Smart Media4U about three months ago and that the company apparently did nothing. The report concludes:
We report these vulnerabilities to the supplier, who has not yet responded. We decided to release our survey three months after reporting this, as many users could be affected by this attack, because the attacker could steal sensitive data and do anything with the permission of the applications.
This is also not the first time that ShareIt was flagged as a security risk. In fact, the app was blacklisted by the US in January, when a vaguely drafted executive order from Trump’s White House listed it as one of several “connected Chinese” apps that Americans should stay away from for fear of where their data is. they could go. On his way out the door, Trump issued a blitz of such requests targeted at the Asian technology sector, most of which seemed destined to antagonize and isolate Chinese companies. Order proclaims:
The United States has assessed that a number of connected Chinese software applications automatically capture large ranges of information from millions of users in the United States, including confidential personally identifiable information and private information. At this point, steps must be taken to address the threat posed by these connected software applications in China …
A ton of Americans are unlikely to actually use ShareIt. Industry stores seems to show that the majority of the application’s user base is located in the Middle East, Africa and Asia (was recently banned in India, where the government has banned its military personnel from using the app due to data security issues). However, if you downloaded ShareIt and are using it for some reason, it might be better to rethink that decision.
We have contacted Smart Media4U for comment and will update this story if we receive a response.