A bug in Android file sharing app SHAREit, which has been downloaded over 1 billion times in Google Play Store, contains several unpatched vulnerabilities that can be abused by hackers to leak sensitive data of its users.
A new report by cyber security firm Trend Micro said the bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed.
“We discovered several vulnerabilities in the application named SHAREit. The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app,” said Echo Duan, a security researcher with Trend Micro.
They can also potentially lead to Remote Code Execution (RCE). In the past, vulnerabilities that can be used to download and steal files from users’ devices have also been associated with the app.
While the app allows the transfer and download of various file types, such as Android Package (APK), the vulnerabilities related to these features are most likely unintended flaws.
“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable,” Trend Micro said.
“Cyber security should be a top consideration for app developers, enterprises, and users alike. For safe mobile app use, we recommend regularly updating and patching mobile operating systems and the app themselves,” Trend Micro said.
China-based content-sharing app SHAREit with over 1.8 billion users worldwide has been included in the top ten most downloaded mobile applications globally, a report by App Annie revealed on February 4, 2020, indicated.