SHAREit fixes security bugs in app with 1 billion downloads, three months after initial report

Singapore-based Smart Media4U Technology said today that it fixed SHAREit vulnerabilities that may have allowed attackers to execute arbitrary code remotely on users’ devices.

The security bugs impact the company’s SHAREit Android app, an application that downloaded more than 1 billion times, according to Google Play Store statistics.

“On February 15, 2021, we became aware of a report by Trend Micro about potential security vulnerabilities in our app,” SHAREit said in a press release published on Friday.

“We worked quickly to investigate this report, and on February 19, 2021, we released a patch to address the alleged vulnerabilities.”

SHAREit users exposed to attacks

As Trend Micro mobile threat analysts Echo Duan and Jesse Chang found, the now-fixed security bugs can be abused by attackers for gaining access to the sensitive information stored by users on devices running vulnerable SHAREit versions.

They could also be abused to execute arbitrary code with SHAREit permissions with the help of malicious code or app, potentially allowing the threat actors to use it in Remote Code Execution (RCE) attacks.

The security flaws also expose users of unpatched SHAREit versions to man-in-the-disk (MITD) attacks, allowing attackers to manipulate application resources stored on external storage via code injection.

In 2019, SHAREit patched two other security vulnerabilities that would’ve enabled attackers to bypass the app’s authentication mechanism and download arbitrary user files from vulnerable devices.

Vulnerabilities patched after public disclosure

While SHAREit’s owner says that it just became aware of Trend Micro’s findings earlier this month, Trend Micro noted that the security bugs were reported to the vendor three months before the report was published.

“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission,” they said.

To make things even worse, attacks abusing these vulnerabilities would not be easily detectable, which probably added to the urgency of publishing their discovery.

“The security of our app and our users’ data is of utmost importance to us,” SHAREit added. “We are fully committed to protecting user privacy and security and adapting our app to meet security threats.”