Trend Micro claims to have found “several” security holes in the popular Android application ShareIt. ShareIt has been downloaded more than a billion times from the Play Store and, according to App Annie, was one of the 10 most downloaded apps globally in 2019. The app was originally developed by Lenovo (since then divided into its own company) and for a while it was pre-installed on Lenovo phones.
The report says that ShareIt’s vulnerabilities could “be abused to leak sensitive user data and run arbitrary code with ShareIt permissions”. ShareIt’s permissions, as a local file sharing app, are quite extensive. According to the Play Store permissions reading, ShareIt requests access to all user storage and all media, camera and microphone and location. It can delete applications, run at startup, create accounts and set passwords and do much more. He also has full access to the network. Trend Micro says that compromising the application can lead to remote code execution. The security company says it shared these vulnerabilities with ShareIt three months ago, but the company has not yet released the patches.
ShareIt’s incredible success of a billion Android downloads and 1.8 billion users worldwide (there are also apps for iOS, Windows and Mac) has led to what appears to be an incredible amount of application bloat. The app was considered one of the best for local file sharing, but today the Play Store list shows an app that offers “Infinite online videos”, “Tens of millions of high quality songs”, “GIFs, wallpapers and stickers “, the” popular “media section that looks like a social network, a game store, a retail movie download section, COVID-19 check-in activity and case statistics and what appears to be your own currency form. The ShareIt website (which, like the app, does not use HTTPS by default), says the service is “now a leading content platform” and popular in Southeast Asia, South Asia, the Middle East, Africa and Russia.
When private storage is not private
Trend Micro’s report details a long list of bad decisions made during the ShareIt project that could make you more susceptible to malicious code. One problem is a common Android application vulnerability that arises when developers configure a content provider incorrectly. Android prides itself on in-app communication, in part because any app can create a content provider and provide its content and services to other apps. If Gmail wants to attach a file to an email, it can do so by showing a list of available file content providers installed on their phone (it’s basically an “open with” dialog) and the user can choose their manager favorite files, browse the store and pass the file they want to Gmail. It is up to developers to clean up these resources between applications and just expose the file manager features needed for Gmail and other applications.
ShareIt doesn’t seem to have given much thought to the need to sanitize its content provider resources. The report says: “The developer behind this has disabled the exported attribute via Android: exported =” false “, but has enabled the android attribute: grantUriPermissions =” true “. This indicates that any third party entity can still gain access temporary read / write to data from the content provider. “Passing on some permissions is normal, but Trend Micro has found that ShareIt does not attempt to scope your permissions and will be happy to provide your files to any application you request. A malicious developer need only call the ShareIt file content provider and pass a file path for the developer to retrieve any of the files that make up the ShareIt application.
The file paths that ShareIt will offer are limited to its own data files, but this means that applications can edit the data ShareIt uses to run, including the application cache that is generated during installation and the runtime . The report says that “an attacker can create a fake [app cache] file and then replace those files using the mentioned vulnerability to execute code execution. “These files typically live on private storage, but ShareIt’s private storage is open to the world.
ShareIt also comes with its own Android app installer. With his private storage no longer being “private”, he repeats the same mistakes we saw in Fornite installer. It downloads the application’s installation files to everyone-readable storage, where they are vulnerable to a “Man-in-the-disk” attack. The application’s installation files need to be protected in private storage before they are installed, but in public storage, the installation package can be exchanged as soon as it is downloaded, but before the installation time. So the user thinks he is installing the good application he just downloaded, but in fact it is a malicious and imposter application.
“The attacker can steal sensitive data”
An extra problem is that the ShareIt game store can apparently download application data over insecure HTTP, where it could be subject to a man-in-the-middle attack. ShareIt registers itself as the manager of any link that closes its domains, such as “wshareit.com” or “gshare.cdn.shareitgames.com”, and will appear automatically when users click on a download link. Most applications force all traffic to HTTPS, but ShareIt does not. Chrome will turn off HTTP download traffic, so it would have to be done through a web interface other than the main browser.
Trend Micro ends by saying, “We reported these vulnerabilities to the supplier, who has not yet responded. We decided to disclose our survey three months after reporting this, as many users could be affected by this attack, because the attacker could steal sensitive data and do anything with the permission of the apps. “Users should probably uninstall the app as soon as possible. If you’re looking for a safer file sharing alternative, Google’s file manager can do local sharing over Wi-Fi now and should be written with best security practices.