SHAREit is a popular file-sharing Android app with more than one billion downloads, experts from Trend Micro discovered multiple unpatched vulnerabilities in its code.
The vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The vulnerabilities can potentially lead to Remote Code Execution (RCE) on the devices where the app is installed.
The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app. They can also potentially lead to Remote Code Execution (RCE).
“We discovered several vulnerabilities in the application named SHAREit. The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app.” reads the report published by Trend Micro. “They can also potentially lead to Remote Code Execution (RCE).”
The analysis of the app’s code revealed that that potentially any app can can call the startActivity() function through the broadcast receiver as “com.lenovo.anyshare.app.DefaultReceiver.” An attacker can view arbitrary activities, including SHAREit’s internal (non-public) and external app activities.
Experts also discovered that any third-party entity can still gain temporary read/write access to the FileProvider content provider’s data.
“SHAREit also defines a FileProvider. The developer behind this disabled the exported attribute via android:exported=”false”, but enabled the android:grantUriPermissions=”true” attribute. This indicates that any third-party entity can still gain temporary read/write access to the content provider’s data.” continues the analysis.
“Even worse, the developer specified a wide storage area root path. In this case, all files in the /data/data/<package> folder can be freely accessed.”
The app also provides a feature that can install an APK with the file name suffix sapk, an attacker can potentially abuse this feature to install a malicious app.
“If such is the case, it will enable a limited RCE when the user clicks on a URL.” continues the analysis. “To verify whether the above functionality is available in the Google Chrome browser, we built an href attribute in HTML. When the user clicks this download URL, Chrome will call SHAREit to download the sapk from http://gshare.cdn.shareitgames.com. Since it supports the HTTP protocol, this sapk can be replaced by simulating a man-in-the-middle (MitM) attack.”
Trend Micro has reported the vulnerabilities to the company behind the app but did not receive any reply and after three months decided to dislose it.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Avaddon ransomware)