An Android app used by a significant portion of the world’s population also has glaring security flaws that could allow a savvy hacker to steal a user’s data or even hijack the app’s operations using arbitrary code.
I sharet, who claims to have more than 1 billion worldwide downloads is the product of a Singapore-based developer Smart Media4UIts main function is peer-to-peer file sharing, which allows users to exchange photos, music, videos, etc.ifs, etc. The app, which has been on an upward trajectory in recent years, has gained recognition due to its rapid growth and global reach.
But it also apparently has software vulnerabilities that allow a bad actor to easily leak a user’s data or even execute arbitrary code by exploiting ShareI.t permissions, according to a new report from Trend Micro.
The report shows that one of the app’s main vulnerabilities has to do with the way information and permissions are shared with other apps. Indeed, because of the way Android phones are set up to share information between different programs, the platform has a history of bad actors trying to exploit and use communication between apps for malicious purposes. In particular “bad appsOr programs secretly controlled by a bad actor may be looking for ways to access data in legitimate apps.
G / O Media can receive a commission
Share it was set up to essentially swing the doors wide open to other apps when it comes to data exchange through the content provider interface. According to researchers, these vulnerabilities could allow “any external entity” to gain “temporary read / write access to the [app’s] information from the content provider. This would essentially allow an app hijack to “run custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge”, ZDNet Notes
Trend Micro researchers discovered this vulnerability by doing it themselves. By manipulating how apps in the Android ecosystem talk to each other, they discovered that the SHAREIt app would share far too much information, causing “random activities of a user, including that of SHAREit internal (non-public) and external app activities. In several ways, these vulnerabilities could eventually be “exploited to leak sensitive user data and run arbitrary code with SHAREIT permissions,” write researchers.
Probably the worst thing in the entire report is the fact that Trend Micro says it shared these security vulnerabilities with Smart Media4U about three months ago and the company apparently did nothing. The report concludes:
We have reported these vulnerabilities to the vendor, who has not yet responded. We decided to make our investigation public three months after reporting it as many users may be affected by this attack as the attacker can steal sensitive data and do anything with the permission of the apps.
This is also not the first time that ShareIt has been marked as a security risk. The app was blacklisted by the US in January, when a vaguely worded Trump White House executive order listed it as one of many “ Chinese connected ” applications Americans should stay away from for fear of where their data might end up. can come. When he went out, Trump issued a blitz of such orders targeting the Asian tech sector, most of which seemed intended to thwart and isolate Chinese companies. The order proclaims
The United States has identified a number of Chinese connected software applications that automatically capture massive amounts of information from millions of users in the United States, including sensitive personally identifiable information and private information. At this point, action must be taken to address the threat posed by these Chinese connected software applications …
Many Americans are unlikely to actually use SHAREOutlets in the industry seem to show that a majority of the app’s user base is in the Middle East, Africa, and Asia (it was recently banned in India, where the government banned its military personnel from using the app due to data security concerns). However, if you use ShareIt and using it for some reason, it might be best to reconsider that decision.
We’ve reached out to Smart Media4U for comment and will update this story if we hear anything.