Getty Images / iStockphoto
An Android app downloaded more than a billion times contains unpatched vulnerabilities that the app’s manufacturer has been unable to fix for more than three months.
special feature
Securing your mobile business
Mobile devices continue on their way to becoming powerful productivity machines. But they are also big security risks if they are not managed properly. We look at the latest wisdom and best practices to protect the mobile workforce.
Read More
The vulnerabilities affect the Android version of SHAREit, a mobile application that allows users to share files with friends or between personal devices.
The bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, said Echo Duan, a mobile threat analyst at security firm Trend Micro, in a report on Monday.
The root cause of security breaches is the lack of adequate restrictions on who can access application code.
Duan said that malicious applications installed on a user’s device or attackers who perform a person-in-the-middle attack can send malicious commands to the SHAREit application and hijack its legitimate resources to run custom code, overwrite local application files, or install third-party applications without the user’s knowledge.
In addition, the application is also vulnerable to so-called Man-in-the-Disk attacks, a type of vulnerability first described by Check Point in 2018 that centers around the insecure storage of sensitive application resources in a location in the shared phone storage with other applications – where they can be deleted, edited or replaced by attackers.
The app manufacturer has not responded for three months
“We have reported these vulnerabilities to the supplier, who has not yet responded,” Duan said today.
“We decided to release our survey three months after reporting this, as many users could be affected by this attack because the attacker could steal sensitive data,” he added, also noting that any attack would also be difficult to detect from a defender’s perspective.
Contacted by email, the SHAREit spokesman did not return a request for comment prior to the publication of this article.
Duan said he also shared his findings with Google, but did not elaborate on the Play Store owner’s response.
On their website, the developers of SHAREit claim that their applications are used by 1.8 billion users in more than 200 countries worldwide. The vulnerabilities do not affect the SHAREit iOS application, which runs on a different code base.