SHAREit fixes security bugs in app with 1 billion downloads

Singapore-based technology Smart Media4U said today that it has patched SHAREit vulnerabilities that could have allowed attackers to remotely execute arbitrary code on users’ devices.

Security bugs affect the company’s SHAREit Android app, a downloaded app more than a billion timesaccording to statistics from Google Play Store.

“On February 15, 2021, we became aware of a report from Trend Micro regarding potential security vulnerabilities in our app”, SHAREit mentioned in a statement released Friday.

“We worked quickly to investigate this report, and on February 19, 2021, we released a patch to address the suspected vulnerabilities.”

SHAREit users exposed to attacks

As Trend Micro mobile threat analysts Echo Duan and Jesse Chang discovered, the now-patched security bugs can be exploited by attackers to gain access to sensitive information stored by users on devices running vulnerable SHAREit versions.

They could also be abused to execute arbitrary code with SHAREit permissions using malicious code or application, potentially allowing threat actors to use it in remote code execution attacks (RCE).

The security flaws also expose users of unpatched versions of SHAREit to man-in-the-disk (MITD) attacks, allowing attackers to manipulate application resources stored on external storage via code injection.

In 2019, SHAREit corrected two other security vulnerabilities this would have allowed attackers to bypass the app’s authentication mechanism and download arbitrary user files from vulnerable devices.

Vulnerabilities fixed after public disclosure

While the SHAREit owner says he just learned of Trend Micro’s findings earlier this month, Trend Micro noted that the security bugs were reported to the vendor three months before the report was released.

“We have decided to release our research three months after reporting this because many users could be affected by this attack as the attacker can steal sensitive data and do anything with the apps permission,” they wrote. declared. mentioned.

To make matters worse, attacks abusing these vulnerabilities would not be easily detected, which likely added to the urgency of publishing their discovery.

“The security of our app and our users’ data is of the utmost importance to us,” SHAREit added. “We are fully committed to protecting user privacy and security and adapting our app to respond to security threats.”

Sam D. Gomez