Millions of Android users exposed to multiple vulnerabilities in SHAREit

Mobile security experts report that SHAREit, an app for Android devices that has been downloaded more than a billion times, contains severe security flaws that would allow hijacking of its functions to overwrite files, execute malicious code or deploy an attack variant known as Man-in-The-Disk (MiTD).

SHAREit was developed by Spanish firm Softonic and allows users to share files with nearby or remote devices and has become one of the most popular applications of its kind. Although the report of these flaws was presented to developers at least three months ago, the flaws remain unpatched.

Echo Duan, a specialist at security firm Trend Micro, mentions that he decided to publish the report due to massive user exposure: “It’s been three months without receiving a response and there are millions of users exposed, so we decided to disclose our research.” Experts also noted that the flaw is not easily detectable, but the risk of exploitation is real.

The report mentions that the application code declares the stream receiver as ‘com.lenovo.anyshare.app.DefaultReceiver’, which receives the action ‘com.ushareit.package.action.install_completed’ and Extra Intent subsequently calls the startActivity() function. Through a concept test, experts discovered that any application can invoke this component, providing access to arbitrary activities to complete the attack.

A third party might gain temporary read/write access to content provider data through a fileprovider flaw. In addition, the developer specifies an area root path with ample storage, allowing access to all files in the /data/data/<package>.

Researchers included in their proof of concept a code to read WebView cookies and write to any SHAREit file folder: “In other words, it is possible to overwrite any existing files in the application,” the experts mention. This would allow threat actors to hijack SHAREit’s functions through a malicious application without users being able to warn of the attack.

About the MiTD attack, this is a man-in-the-Middle variant related to how Android operating systems manage internal and external storage. This attack allows threat actors to intercept and even alter data on these storage drives, making it more likely considering SHAREit flaws: “When the user downloads an application, it is sent to an external directory, so any application can access this data with write permission to the SD card.”

While the cybersecurity community is still waiting for the response from developers, experts recommend avoiding the use of these apps, as well as verifying that any other tools installed on your devices are updated to the latest version.