Multiple security vulnerabilities in the Android version of the SHAREit mobile application could allow an attacker to run Remote Code Execution (RCE). According to an analysis from Trend Micro, the unpatched flaws in the SHAREit app, which has more than one billion downloads in the Play Store, can be misused to pilfer users’ sensitive data and execute arbitrary code by injecting a malicious code.
SHAREit’s Critical Vulnerabilities
Trend Micro found that SHAREit app’s code declares the broadcast receiver as “com.lenovo.anyshare.app.DefaultReceiver”, receives the action “com.ushareit.package.action.install_completed” and Extra Intent then calls the startActivity() function. It was also found that the developer of the app disabled the exported attribute via android:exported=”false” and enabled the android:grantUriPermissions=”true” attribute, allowing any third-party entity to gain temporary read/write access to the content provider’s data.
“We found that SHAREit generates vdex/odex files after dex2oat when first launched. The app then loads these files directly in subsequent running. An attacker may craft a fake vdex/odex file, then replace those files via the abovementioned vulnerability to perform code execution. Also, we noticed that SHAREit has set up deep links using URLs leading to specific features in the app. These contain features that can download and install any Android Package (APK),” Trend Micro said.
No Response from the App Developer
Developed by Singapore-based Smart Media4U Technology Pte. Ltd., SHAREit allows users to transfer files between devices. The app developer has not addressed the flaws despite responsible disclosure three months ago.
“We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable,” Trend Micro added.
App security should be a top priority for users, organizations, and app developers. Users must be vigilant while installing any app on their mobiles. Regularly updating and patching mobile operating systems and apps enhance device security.