Cybersecurity experts have discovered a popular Android app riddled with vulnerabilities has been download one billion times. An attacker can exploit the permissions on SHAREit mobile app to leak sensitive data and remotely execute malicious code.
SHAREit is used to share files between Android users and devices. SHAREit is owned by Smart Media4U Technology Pte. Ltd. in Singapore and was previously owned by Lenovo before it was spun off into its own company.
According to Trend Micro researchers, the flaw was reported nearly three months ago, but was still not patched as of the time of the report on Monday.
“We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable,” wrote Echo Duan and Jesse Chang from the Trend Micro security team.
Vulnerability details and PoCs
The Trend Micro report describes the vulnerability details and built proof-of-concept (POC) code on how the malicious code can execute man-in-the-middle attacks and steal sensitive files. For instance, Trend Micro found the developer specified a wide storage area root path (e.g., /data/data/<package> folder), which can be freely accessed by the malicious code.
In another case, the experts found the SHAREit app generates vdex/odex files after dex2oat when first launched.
“The app then loads these files directly in subsequent running. An attacker may craft a fake vdex/odex file, then replace those files via the above mentioned vulnerability to perform code execution,” the researchers noted.
Moreover, SHAREit utilizes deep links that use URLs linked to specific features in the mobile app, which can then be used to download and install any APK (the package file format used by the Android operating system).
These are just a few of the noted vulnerabilities from the Trend Micro report.
Security experts have been warning about the rapidly growing mobile malware threats where cybercriminals are targeting mobile phones to manipulate and quickly profit from them.