Wednesday, November 6, 2024
HomeCVE/vulnerabilityUnpatched SHAREit Flaw Let Attackers Execute Remote Code

Unpatched SHAREit Flaw Let Attackers Execute Remote Code

Published on

Malware protection

SHAREit app is owned by Smart Media4U Technology Pte. Ltd. which is a global technology company in Singapore. SHAREit was originally made by Chinese tech giant Lenovo.  

The company produces an app, also called SHAREit, which is compatible with various smartphone platforms that allow users to share files between devices directly.

Experts from Trend Micro discovered vulnerabilities in the SHAREit application, which has over 1 billion downloads in Google Play. The vulnerabilities can be abused to leak a user’s sensitive data, execute arbitrary code, and possibly lead to remote code execution.

- Advertisement - SIEM as a Service

In the earlier period, vulnerabilities that can be used to download and steal files from users’ devices have also been associated with the app. While the app allows the transfer and download of various file types, such as Android Package (APK), the vulnerabilities related to these features are most likely unintended flaws.

Vulnerability Details

The flaw arises from the way the app facilitates sharing of files (via Android’s FileProvider), potentially allowing any third-party to gain temporary read/write access permissions and exploit them to overwrite existing files in the app’s data folder.

Experts observed SHAREit has set up deep links using URL leading to specific features in the app. These contain features that can download and install any APK. It declares a deep link feature that can download files from a URL that has the scheme of http/https and domain host that matches *.wshareit.com or gshare.cdn.shareitgames.com.

It also provides a feature that can install an APK with the file name suffix sapk. This feature can be used to install a malicious app; in that case, it will enable a limited RCE when the user clicks on a URL.

Therefore, the app is also vulnerable to man-in-the-disk (MitD) attack, which arises when careless use of “external storage” permissions, opens the door to the installation of fraudulent apps and even causes a denial of service condition.

To illustrate, experts manually copied Twitter.apk in the code to replace it with a fake file of the same name. As a result, a pop-up of the fake Twitter app will appear on the main screen of the SHAREit app (as shown below).

Reopening the SHAREit app will cause the fake Twitter app to appear on the screen again to prompt the user to install it (as shown below). Upon clicking the install button, the fake app will be installed successfully and opened automatically. This will show another system notification pop-up.

A pop-up from the fake Twitter app created to test the vulnerability
Download prompt from the fake Twitter app

Recommendations

According to the experts, security must be a top consideration for app developers, enterprises, and users alike.

For safe mobile app use, regularly updating and patching mobile operating systems and the app themselves is essential. Users should also keep themselves informed by reading reviews and articles about the apps they download.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Also Read

SHAREit App Vulnerabilities Allows Hackers to Bypass Android Device Authentication & Download Arbitrary Files Remotely

Digital Strike!! India Banned 59 Chinese Apps Including TikTok, UC Browser, SHAREit

Digital Strike!! Government of India Banned 118 Mobile Apps Including PUBG

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...