Do you have the popular Android app ShareIt installed on your phone? You should uninstall that as soon as possible. Sooner if possible. According to researchers at Trend Micro, ShareIt suffers from many fatal flaws that could let hackers execute code on your device, install malicious apps, and more. And after three months, ShareIt chose to do nothing about the problem.
According to Trend Micro, the vulnerabilities would allow bad actors to “leak a user’s sensitive data and execute arbitrary code with ShareIt permissions.” ShareIt comes with extensive permissions requirements due to being an “everything in one” app.
As the name suggests, it started life as a sharing app, which already calls for plenty of permissions needs. But the app ballooned, and now it’s a gif app, a video player, a song finder, a game store, a movie store, and more.
ShareIt can request access to the camera, microphone, location, the entire user storage, and all media. But while it requests all those permissions, it fails to put in the proper restrictions Android calls for to prevent abuse.
The problem stems from how the developers enabled external storage permissions. If developers follow proper guidelines, everything will be fine. But ignore them, as ShareIt’s developers did, and you’ll leave your users vulnerable to a “man-in-the-disk” attack.
Apps install files should be sent to protected storage to keep them safe during the critical install period. If the developer stores those files in public storage instead, a bad actor can intercept the install files, replace them with new versions, and essentially upgrade an app to a malicious app. The same thing happened with Epic’s Fortnite installer in 2018.
If that’s not bad enough, ShareIt’s game store downloads app data over unsecured network connections (HTTP), which leaves the app open to man-in-the-middle attacks. With the right know-how, a bad actor can update ShareIt to a malicious version, steal your user data, or both.
Trend Micro says it notified ShareIt’s developers three months ago about the problems and never heard back. Hopefully, all the bad publicity will help change the course, but in the meantime, you’d be better off uninstalling ShareIt, at least for now.
Source: Trend Micro via Ars Technica