As consumers, we like to think that companies earning our money will do everything possible to keep their end of the bargain. When it comes to the app/software business, the developers should be keeping their products updated to keep their end of the bargain. That’s what makes situations like this frustrating. Android app SHAREit left security vulnerabilities unpatched for more than three months.
Identifying SHAREit Security Vulnerabilities
The SHAREit Android app provides users a way to share files with friends or between devices. Trend Micro mobile threats analyst Echo Duan said in a report on February 15, 2021, that the app contains security vulnerabilities that don’t have proper restrictions on the app’s code.
The SHAREit vulnerabilities can be exploited to run malicious code on phones where the app has been installed. This can be done through malicious apps that get installed on the device or through a man-in-the-middle network attack.
The malicious commands sent through one of these methods to the SHAREit app take over the device, then run custom code, overwrite files, and install other apps, with the user being none the wiser.
The SHAREit Android app is also susceptible to “man-in-the-disk” attacks. In this vulnerability, sensitive app resources aren’t stored securely in the same area on the phone where other apps are stored. This leaves these apps vulnerable to being edited, replaced, or even deleted.
SHAREit Developer Compliance
With as much damage that the SHAREit security vulnerabilities can do, you would think the app developers would be anxious to fix it as soon as possible. However, this has not happened – for three months.
“We reported these vulnerabilities to the vendor, who has not responded yet,” reported Duan.
He further noted, “We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data.”
Duan also said he shared the SHAREit security vulnerabilities with Google. However, he did not disclose how the company responded. A quick check shows that SHAREit is still up on the Play Store. Additionally, the developers have not only been answering comments left in the reviews within that three-month time frame, but it also shows that the app was last updated on February 9, 2021 – without fixing the security vulnerabilities, according to Duan.
SHAREit claims on its website that its apps have 1.8 billion users throughout 200 countries. It can be assumed the majority of users do not know about the security bugs. However, the SHAREit iOS app was not affected by the vulnerabilities.
Read on to learn critical Android security tips to protect your mobile device.