Have you installed the popular Android app ShareIt on your phone? You must remove that as soon as possible. If possible earlier. According to researchers at Trend Micro, ShareIt suffers from many fatal flaws that allow hackers to run code on your device, install malicious apps, and more. And after three months, SHAREit chose not to do anything about the problem.
According to Trend Micro, the vulnerabilities would cause malicious actors to “leak sensitive user data and execute arbitrary code with SHAREIt permissions.”
As the name suggests, it started life as a sharing app, which already requires a lot of permissions. But the app really took off and now it’s a GIF app, video player, song finder, game store, movie store and more.
SHAREit can request access to the camera, microphone, location, the entire user storage and all media. But while it asks for all those permissions, it fails to enforce the proper restrictions that Android requires to prevent abuse.
The problem stems from the way the developers have enabled external storage permissions. If developers follow the correct guidelines, everything will be fine. But ignore them, as the ShareIt developers did, and you leave your users vulnerable to a “man-in-the-disk” attack.
App installation files should be sent to secure storage to keep them safe during the critical installation period. If the developer stores those files in public storage instead, a bad guy could intercept the installation files, replace them with new versions, and essentially upgrade an app to a malicious app. The same thing happened with Epic’s Fortnite installer in 2018.
If that’s not bad enough, ShareIt’s game store downloads app data over unsecured network connections (HTTP), leaving the app open to man-in-the-middle attacksWith the right know-how, a bad actor can update ShareIt to a malicious version, steal your user data, or both.
Trend Micro says it notified ShareIt’s developers of the issues three months ago and never heard from. Hopefully all the bad publicity will help change course, but in the meantime, you’d better delete ShareIt, at least for now.
Source: Trend Micro via Ars Technica