Multiple unpatched vulnerabilities have been discovered in SHAREit, a popular app with over one billion downloads, that could be abused to leak a user’s sensitive data, execute arbitrary code, and possibly lead to remote code execution.
The findings come from cyber-security firm Trend Micro’s analysis of the Android version of the app, which allows users to share or transfer files between devices.
But in a worrisome twist, the flaws are yet to be patched by Smart Media4U Technology Pte. Ltd., the Singapore-based developer of the app, despite responsible disclosure three months ago.
“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission,” Trend Micro researcher Echo Duan said in a write-up. “It is also not easily detectable.”
One of the flaws arises from the manner the app facilitates sharing of files (via Android’s FileProvider), potentially allowing any third-party to gain temporary read/write access permissions and exploit them to overwrite existing files in the app’s data folder.
images from Hacker News