Android malware is nothing new for fans of Google’s mobile operating system, but a set of newly discovered vulnerabilities in a popular app called ShareIt is just as worrisome. According to a Trend Micro report, the flaws can be abused to extract a user’s sensitive information as well as execute arbitrary code using the app’s permissions.
For those of you who don’t know, Lenovo originally developed ShareIt as a way for users to easily share files between Internet-connected devices. Currently, it’s being developed by Smart Media 4U Technology, a software company based in Singapore. According to App Annie, it has over 1.8 billion downloads worldwide across multiple operating systems, with one billion on the Play Store alone.
Security researchers noted that one of the flaws stems from the way the app facilitates the file transfer functionality, by using Android’s FileProvider component. Furthermore, the app requests access to the entire storage as well as unrelated things like the camera, microphone, and your device’s location.
On top of that, ShareIt has discoverable deep links using URLs that lead to certain functionality like downloading and installing APK files, creating accounts, and setting passwords, which can easily be exploited by a malicious actor for remote code execution. The app also doesn’t force traffic through HTTPS, which opens it up to even more attack methods.
Trend Micro reported the vulnerabilities to the developers of the app, but has received no response after three months. The researchers also recommend users uninstall the app, but you can also use Google’s own file manager app to achieve virtually the same file-sharing functionality if your devices are all connected to the same Wi-Fi network.