A Hugely Popular File-Sharing Android App Also Has Giant, Terrible Security Flaws

A Hugely Popular File-Sharing Android App Also Has Giant, Terrible Security Flaws

An Android app used by a significant chunk of the global population also has glaring security flaws that would allow a savvy hacker to steal a user’s data or even hijack the app’s operations using arbitrary code.

ShareIt, which claims to have more than 1 billion global downloads, is the product of Singapore-based developer Smart Media4U. Its primary feature is peer-to-peer file sharing, which gives users the ability to exchange photos, music, videos, gifs, etc. The app, which has been on an upward trajectory over the past several years, has garnered recognition for its swift growth and global reach.

But it also apparently has software vulnerabilities that would allow a bad actor to easily leak a user’s data or even execute arbitrary code by abusing ShareIt permissions, according to a new report from Trend Micro.

Screenshot: Lucas Ropek: Google Play Store/SHAREit
Screenshot: Lucas Ropek: Google Play Store/SHAREit

The report shows that the one of the app’s chief vulnerabilities stems from how it shares information and permissions with other apps. Indeed, due to the way Android phones are set up to share information between different programs, the platform has a history of bad actors attempting to exploit inter-app communication and leverage it toward malicious ends. Specifically, “bad apps” or programs secretly run by a bad actor may look for ways to access data on legitimate apps.

ShareIt is set up to essentially swing the doors wide open to other apps when it comes to data exchange via its content provider interface. According to researchers, these vulnerabilities could allow “any third-party entity” to “gain temporary read/write access to the [app’s] content provider’s data.” This would essentially allow for a hijacking of the app to run “custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge,” ZDNet notes.

Trend Micro researchers discovered this vulnerability by doing it themselves. By manipulating how apps in the Android ecosystem talk to each other, they found that the ShareIt app would share way too much information, revealing a user’s “arbitrary activities, including ShareIt’s internal (non-public) and external app activities.” In various ways, these security flaws could ultimately be “abused to leak a user’s sensitive data and execute arbitrary code with ShareIt permissions,” researchers write.

Probably the worst thing in the whole report is the fact that Trend Micro says it shared these security issues with Smart Media4U about three months ago and that the company apparently did nothing. The report concludes:

We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack, because the attacker can steal sensitive data and do anything with the apps’ permission.

This is also not the first time that ShareIt has been flagged as a security risk. The app was actually blacklisted by the U.S. in January, when a vaguely worded executive order from the Trump White House listed it as one of several “Chinese connected” applications that Americans should stay away from for fear of where their data might end up. On his way out the door, Trump issued a blitz of such orders targeted at the Asian technology sector, most of which seemed designed to antagonize and isolate Chinese companies. The order proclaims:

The United States has assessed that a number of Chinese connected software applications automatically capture vast swaths of information from millions of users in the United States, including sensitive personally identifiable information and private information. At this time, action must be taken to address the threat posed by these Chinese connected software applications…

It’s unlikely that a ton of Americans actually use ShareIt. Industry outlets seem to show that a majority of the app’s user base is located in the Middle East, Africa and Asia (it was recently banned in India, where the government barred its military service personnel from using the app due to data security concerns). Nonetheless, if you have downloaded ShareIt and are using it for some reason, it might be best to rethink that decision.

We have reached out to Smart Media4U for comment and will update this story if we hear back.