SHAREit app, a leading file sharing, content streaming, and gaming platform, reports that it has fixed several security flaws in its Android app that could have put its billion users at risk.
This followed the report from Trend Micro who on February 15, 2021, wrote about potential security vulnerabilities in SHAREit app which could have allowed bad actors to access data stored on user devices and execute arbitrary code on user devices.
“The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app. They can also potentially lead to Remote Code Execution (RCE),” wrote the researchers.
The security flaws could have been up for anyone’s taking for over three months. No one knows how many of SHAREit’s user accounts were actually compromised.
Acting on the Trend Micro report, apps’ developers issued a hotfix for the vulnerabilities detected by the security company.
“The security of our app and our users’ data is of utmost importance to us,” SHAREit said in a press release. “We are fully committed to protecting user privacy and security and adapting our app to meet security threats.”
According to Trend Micro, the discovered security flaws were particularly dangerous because they mimicked the legitimate functions of the app, and any attacks that exploited these vulnerabilities would have been hard to detect.
SHAREit is also a game center with game apps that the app downloads based on the special configuration file GameSettings.xml.
Having studied this file, the researchers saw that the download URLs belong to various vendors besides Google Play. As URLs use the HTTP protocol, “it is very dangerous to transfer data without encryption as these can be tampered with by a MitM attacker.”
To prove their point, the researchers successfully exploited the vulnerabilities with a proof-of-concept app: gained read/write access to the data and even ran arbitrary code on the device.
SHAREit app is owned by Smart Media4U Technology Pte. Ltd headquartered in Singapore.