SHAREit app for Android said to share way too much: Billion-download code with holes no one wants to fix

Updated Trend Micro has published a report claiming that data-sharing Android app SHAREit, which has over a billion downloads, contains multiple vulnerabilities after the app's maker ignored advice to fix the flaws.

In a blog post published on Monday, Trend Micro researchers Echo Duan and Jesse Chang describe a series of vulnerabilities in SHAREit that could potentially allow a miscreant to leak data and run malicious code, locally or remotely.

They speculate that the bugs at issue are inadvertent and say that they have chosen to publicize them three months after disclosing their findings to Singapore-based Smart Media4U Technology because they've received no response from the app maker.

"We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission," the researchers said.

SHAREit for Android, they say, has over a billion downloads from the Google Play Store. Google, it's claimed, has been made aware of Trend Micro's concerns; the ad giant did not immediately respond to a request for comment.

According to Duan and Chang, the SHAREit app implements a broadcast receiver component called "com.lenovo.anyshare.app.DefaultReceiver" that can be invoked via Android's Intent inter-app communication mechanism from any other app. They constructed a proof-of-concept Intent that shows "arbitrary activities, including SHAREit's internal (non-public) and external app activities."

Worse still, the app defines a FileProvider – a file sharing API – that allows third-party apps to have temporary file read and write access to the SHAREit app's data, from the app root rather than being narrowly scoped to a specific directory. Thus, the researchers were able to devise proof-of-concept code to read cookies associated with the WebView browsing component available to the app.

They say they could also overwrite existing files associated with the app, including vdex/odex files – validated/optimized .dex (Dalvik Executable) files that preload information for faster app startup. Rewiring these files, they contend, could allow an attacker to alter those files so they execute malicious code.

The app also implements a deep linking feature that allows it to download files from any http/https URL that includes *.wshareit.com or gshare.cdn.shareitgames.com domain. Because this feature will install an Android APK with the file suffix .sapk. Duan and Chang say it's possible to install a malicious app and enable limited remote code execution.

While they note that Google Chrome implements a defense against silent app installation via deep link URL, they point out that a local app could still trigger a download and installation from an arbitrary URL.

What's more, SHAREit is also vulnerable to a miscreant-in-the-middle (MITM) attack. The researchers say that when the app downloads other apps from the download center, it checks an external directory that can be written to by any third-party app that has SDcard write permission. The app allows the download of other game apps listed in an .xml file and most of the URLs therein use the insecure http protocol, making them possible MITM vectors as well.

Smart Media4U Technology did not respond to a request for comment. ®

Updated to add

On Friday, the makers of ShareIt responded to our inquiry. “On February 15, 2021, we became aware of a report by Trend Micro about potential security vulnerabilities in our app,” a company spokesperson said.

“We worked quickly to investigate this report, and on February 19, 2021, we released a patch to address the alleged vulnerabilities.”