The SHAREit application, used for sharing files between users and their devices by more than a billion people, is said to have a significant vulnerability that has yet to be addressed.
Security flaws were discovered over three months ago in an app that was downloaded over a billion times.
The affected application is the Android version of SHAREit, a mobile application that allows users to share files with their friends or between multiple personal devices.
Echo Duan, the mobile threat analyst for cybersecurity firm Trend Micro, explains in a report that the vulnerabilities discovered could be exploited by cyber attackers to execute malicious code on smartphones where the SHAREit app is installed.
An application vulnerable to attacks
The root cause of these security holes is the lack of appropriate restrictions on who can access the application code.
According to Echo Duan, cyber attackers could, through malicious applications installed on a user's device, or a "man-in-the-middle" network attack, send malicious commands to the application SHAREit to hijack its legitimate functionality and thus execute custom code, for example, to overwrite local application files or install third-party applications without the user's knowledge.
In addition, the application is also vulnerable to so-called "man-in-the-disk" attacks. This type of vulnerability, first described by Check Point in 2018, involves the unsecured storage of sensitive application resources in a location in the phone's storage space shared with other applications - from where they can be removed. , modified or replaced by cyber attackers.
A developer with absent subscribers
"We have reported these security breaches to the vendor, but they have yet to respond," Echo Duan commented on Monday. "So we decided to disclose our research, after three months since we reported this situation because many users could be affected by this attack, and an attacker could steal sensitive data," he adds, while noting that any attack would also be difficult to detect from a defender's perspective. Contacted by email, SHAREit had not responded to our request for comment when this article was published.
Echo Duan also adds that he communicated his conclusions to Google, without specifying what the response of the owner of the Play Store was.
On its website, SHAREit says its app is used by 1.8 billion people in more than 200 countries around the world. Furthermore, the security vulnerabilities do not affect the iOS version of the application, which operates on a different codebase