An Android application that has been downloaded more than a billion times does not contain updated vulnerabilities that the app manufacturer has not been able to resolve for more than three months.
The vulnerabilities affect the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, said Echo Duan, a mobile threat analyst for security firm Trend Micro, in a report on Monday.
The reason for the security flaws is the lack of proper restrictions for who can use the application code.
Duan said that malicious apps installed on a user’s device, or attackers carrying out a person-centered network attack, can send malicious commands to the SHAREit app and hijack its legitimate features to run custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge.
Furthermore, the app is also vulnerable to so-called Man-in-the-Disk attacks, a type of vulnerability that was first described by Check Point in 2018 which concerns insecure storage of sensitive resources in a place where the phone’s storage space is shared. with other apps – where they can be deleted, edited or replaced by attackers.
App maker did not respond in three months
“We reported these vulnerabilities to the vendor, who has not responded yet,” Duan said today.
“We decided to disclose our research three months after we reported this, as many users may be affected by this attack because the attacker could steal sensitive data,” he added, noting that attacks would also be difficult to detect from a defender’s perspective.
Contacted by email, and a SHAREit spokesperson did not return a request for comment until this article was published.
Duan said he also shared his findings with Google, but did not elaborate on the response from the Play Store owner.
On the website, SHAREit developers claim that their apps are used by 1.8 billion users in more than 200 countries worldwide. The vulnerabilities do not affect the SHAREit iOS app, which runs on a different code base.