Unpatched SHAREit Flaw Let Attackers Execute Remote Code

SHAREit app is owned by Smart Media4U Technology Pte. Ltd. which is a global technology company in Singapore. SHAREit was originally made by Chinese tech giant Lenovo.  

The company produces an app, also called SHAREit, which is compatible with various smartphone platforms that allow users to share files between devices directly.

Experts from Trend Micro discovered vulnerabilities in the SHAREit application, which has over 1 billion downloads in Google Play. The vulnerabilities can be abused to leak a user’s sensitive data, execute arbitrary code, and possibly lead to remote code execution.

In the earlier period, vulnerabilities that can be used to download and steal files from users’ devices have also been associated with the app. While the app allows the transfer and download of various file types, such as Android Package (APK), the vulnerabilities related to these features are most likely unintended flaws.

Vulnerability Details

The flaw arises from the way the app facilitates sharing of files (via Android’s FileProvider), potentially allowing any third-party to gain temporary read/write access permissions and exploit them to overwrite existing files in the app’s data folder.

Experts observed SHAREit has set up deep links using URL leading to specific features in the app. These contain features that can download and install any APK. It declares a deep link feature that can download files from a URL that has the scheme of http/https and domain host that matches *.wshareit.com or gshare.cdn.shareitgames.com.

It also provides a feature that can install an APK with the file name suffix sapk. This feature can be used to install a malicious app; in that case, it will enable a limited RCE when the user clicks on a URL.

Therefore, the app is also vulnerable to man-in-the-disk (MitD) attack, which arises when careless use of “external storage” permissions, opens the door to the installation of fraudulent apps and even causes a denial of service condition.

To illustrate, experts manually copied Twitter.apk in the code to replace it with a fake file of the same name. As a result, a pop-up of the fake Twitter app will appear on the main screen of the SHAREit app (as shown below).

Reopening the SHAREit app will cause the fake Twitter app to appear on the screen again to prompt the user to install it (as shown below). Upon clicking the install button, the fake app will be installed successfully and opened automatically. This will show another system notification pop-up.

A pop-up from the fake Twitter app created to test the vulnerability
Download prompt from the fake Twitter app

Recommendations

According to the experts, security must be a top consideration for app developers, enterprises, and users alike.

For safe mobile app use, regularly updating and patching mobile operating systems and the app themselves is essential. Users should also keep themselves informed by reading reviews and articles about the apps they download.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

SHAREit App Vulnerabilities Allows Hackers to Bypass Android Device Authentication & Download Arbitrary Files Remotely

Digital Strike!! India Banned 59 Chinese Apps Including TikTok, UC Browser, SHAREit

Digital Strike!! Government of India Banned 118 Mobile Apps Including PUBG

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

12 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

15 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

20 hours ago