Trend Micro says they have found “several” security flaws in the popular Android app ShareIt. ShareIt has been downloaded over a billion times from the Play Store, and according to App Annie was one of the 1
The report says that ShareIt’s vulnerabilities can be “abused to leak a user’s sensitive data and execute arbitrary code with ShareIt permissions.” ShareIt’s permissions, as a local file sharing app, are quite extensive. According to the Play Store permission reading, ShareIt requests access to all user storage and all media, camera and microphone and location. It can delete apps, run at startup, create accounts and set passwords, and do much more. It also has full network access. Trend Micro says that compromising the app can lead to remote code execution. The security firm says it shared these vulnerabilities with ShareIt three months ago, but the company has not yet issued updates.
It is an incredible success with one billion Android downloads and 1.8 billion users worldwide (there are also iOS, Windows and Mac apps) have led to what looks like an incredible amount of app bloat. The app was considered one of the best for local file sharing, but today the Play Store listing shows an app that offers “Infinite web videos”, “Tens of millions of high quality songs,” “GIFs, wallpapers and stickers,” “popular” media section which looks like a social network, a game store, a download section for retail movies, COVID-19 check-in activity and case statistics, and what looks like its own currency. ShareIt’s website (which, like the app, is not HTTPS standard) states that the service is “now a leading content platform” and popular in Southeast Asia, South Asia, the Middle East, Africa and Russia.
When private storage is not private
Trend Micro’s report describes a wash list of bad decisions made while designing ShareIt that may make it more vulnerable to malicious code. One problem is a common Android app vulnerability that occurs when developers configure a content provider incorrectly. Android is proud of communication within apps, in part because any app can create a content provider and offer the content and services to other apps. If Gmail wants to attach a file to an email, it can do so by displaying a list of available file content providers installed on your phone (it’s basically an “open with” dialog), and the user can choose their favorite file manager, navigate through the storage space, and send the file they want to Gmail. It’s up to developers to clean these features for multiple apps and just postpone the necessary file manager properties for Gmail and other apps.
It does not seem to have given much thought to the need to disinfect the content provider’s capabilities. The report states: “The developer behind this disabled the exported attribute via android: exported =” false “, but enabled the android: grantUriPermissions =” true “attribute. This indicates that any third party device may still have temporary read / write access to the content provider’s data “” It’s normal to send some permissions, but Trend Micro found that ShareIt does not try to restrict permissions at all and would like to serve the files to any app that asks. A malicious developer just needs to call the ShareIt file content provider and give it a file path for the developer to get back some of the files that make up the ShareIt app.
The file paths ShareIt will offer are limited to their own data files, but this means that apps can edit the data ShareIt uses to run, including the app buffer generated during installation and runtime. The report states that “an attacker can make a fake [app cache] file, and then replace these files via the aforementioned vulnerability to execute code execution. “Normally these files live in private storage, but ShareIt’s private storage is open to the world.
ShareIt also comes with its own Android app installer. With its private storage that is no longer “private”, it repeats the same errors we saw in Epics Fornite the installer. It downloads app installation files for world-readable storage, where they are vulnerable to a “Man-in-the-disk” attack. App installation files must be protected in private storage before they are installed, but in public storage the installation package can be replaced as soon as it is downloaded, but before the installation time. Then the user thinks they are installing the good app they just downloaded, but it is actually a cheat malicious app.
“The attacker could steal sensitive data”
An additional problem is that ShareIt’s game store can apparently download app data over unsecured HTTP, where it can be exposed to a human-in-the-middle attack. ShareIt registers as a handler for any link that terminates the domains, such as “wshareit.com” or “gshare.cdn.shareitgames.com”, and it will automatically appear when users click on a download link. Most apps force all traffic to HTTPS, but ShareIt does not. Chrome will block download traffic for HTTP, so this must be done via a different web interface than the main browser.
Trend Micro concludes by saying: “We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting, as many users may be affected by this attack, as the attacker could steal sensitive data and do something with the app’s permission. “Users should probably uninstall the app ASAP. If you’re looking for a more secure file sharing option, Google’s File Manager can do local sharing via Wi-Fi now and should be written with better security practices.