File-sharing app SHAREit has several security flaws exposing users to the risk of remote code execution and sensitive data leaks. Trend Micro disclosed the security flaw after auditing one of the most popular android file-sharing apps with over a billion downloads on the Google Play Store.
The app was initially developed by Lenovo before branching into an independent company, Smart Media4U. It shipped pre-installed on various devices, including Lenovo phones.
Trend Micro researchers shared the vulnerabilities with SHAREit app developers before they decided to disclose the information to the public after three months of no response or patch.
The cybersecurity firm built a proof of concept (POC) code that could execute arbitrary actions through the app.
ShareIt file-sharing app could leak sensitive data and execute arbitrary code
Trend Micro says that the SHAREit file-sharing app security flaws could be “abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions.”
The app requests an extensive list of permissions making it an excellent candidate for abuse.
SHAREit app accesses device storage, location, microphone, and camera permissions. It also requests permissions to runs at startup, create user accounts and set passwords, full network access, among others.
However, the file-sharing app claims that it will not “access permissions that are irrelevant to our operation.”
SHAREit also describes itself as file-sharing and a leading content provider offering infinite online video, millions of high-quality songs, gifs, wallpapers, and stickers.
SHAREit poor app design responsible for the security flaw
Trend Micro attributes the security flaw to the file-sharing app’s poor design. The problem originates from the way the app developers set up content providers. This feature allows communication among apps on the android platform.
Improper setup of content providers could make an android app vulnerable to the execution of malicious code. App developers must sanitize content providers to avoid exploitation by attackers, but SHAREit developers failed to do so.
SHAREit content providers grant third-parties temporary read/write permissions
Trend Micro noted that “the developer behind this disabled the exported attribute via android:exported=”false”, but enabled the android:grantUriPermissions=”true” attribute.”
The developers did not limit access to app files and SHAREit serves all its files to apps that request access.
Given that the file-sharing app has access permissions, this security flaw grants the third-party app temporary read/write access to user data. An attacker only has to request SHAREit’s file-content provider and send a path to get files in the SHAREit directory.
Although attackers could only access SHAREit’s data files, they could edit those files, including SHAREit’s cache, and attach malicious code to be executed by the app.
Trend Micro says that “an attacker may craft a fake file, then replace those files via the aforementioned vulnerability to perform code execution.”
Attackers could steal or replace files through Man-in-the-Middle and Man-in-the-Disk attacks
The accessibility of SHAREit’s private files exposes them to Man-in-the-Disk attacks. This security flaw was responsible for Epic Fortnite’s breach.
“Even worse, the developer specified a wide storage area root path. In this case, all files in the /data/data/ folder can be freely accessed,” Trend Micro says.
SHAREit app installer also opens links associated with the app, such as “wshareit.com” and “gshare.cdn.shareitgames.com” by default and downloads app data over insecure HTTP.
By failing to encrypt the download connection, an attacker can steal sensitive data and execute man-in-the-middle attacks.
Seemingly, SHAREit’s efficiency and its subsequent popularity came at the expense of security.
SHAREit finally released an updated app on Feb. 23, 2021, and users should replace the old application with the patched version.
Anurag Kahol, CTO and Cofounder of Bitglass, says some of the billion users who downloaded the file-sharing app could have their sensitive data stole without their knowledge.
“While it was not disclosed whether the flaw has been exploited, app makers have failed to patch it, meaning malicious actors still have time to access users’ private information and leverage it in highly targeted phishing attacks,” Kahol adds. “In fact, 57% of data breach victims say their information was compromised due to an unpatched, known vulnerability.”
Craig Young, a principal security researcher at Tripwire, says that developers must verify Intent sources which could expose sensitive data on an android device. He notes that SHAREit allows external programs to trigger the download of APK files from insecure HTTP servers.
“Deep links and locally exposed intents are among the primary attack surfaces of Android applications because of how they can receive input web sites or other local applications,” Young adds. “Intents are a way of representing operations which can be performed within an application. Developers use deep links to directly reference application content from external sources like web sites.”