SHAREit app with over a billion installs suffers security vulnerability days before US ban

Android Police

By Ryne Hager

Published Feb 16, 2021

The executive order banning the app on Friday doesn't appear to have been reversed

The popular SHAREit app isn't just set to be banned in the US in the next three days; it was also apparently vulnerable to a (slightly convoluted) attack. The technical details are a bit of a slog, but in short, the app could indirectly allow for the execution of arbitrary code remotely, read or overwrite the app's local files, or even allow for third-party APKs to be installed. Developers of the app, which claims over a billion installs at the Play Store, were notified of the vulnerability three months ago, but according to Trend Micro, they haven't done anything to address it.

You can click through the source link down at the bottom for all the technical details, but the short version is that any app can hand SHAREit a bit of code to trigger further arbitrary execution of code by the app, also allowing it to read and write from the app's siloed storage. On top of that, SHAREit can be instructed to download an APK from a handful of hard-coded URLs and install it. Thankfully, Chrome is smart enough to detect and mitigate this kind of attack hand-off when used as a vector to trigger it, but other avenues are also possible, and it's also subject to a sort of man-in-the-middle attack via storage. It's all pretty convoluted, but this can be combined in a way that could leave customer's devices vulnerable — though, admittedly, it sounds like users would have to participate in specific actions to make it effective.

Play Store listing details for SHAREit.

SHAREit was originally part of Lenovo, and the app may even be pre-installed on some Lenovo Android devices, furthering the potential spread of this vulnerability. It claims over one billion downloads to date on its Play Store listing, and a "Lite" version of the app was released in 2019.

Security researchers claim they reported these vulnerabilities to the developers behind the app three months ago. The information is only now being divulged to raise awareness since the company behind the app seemingly wasn't interested in addressing the issue during that time.

SHAREit likely isn't too popular in the US, but the app is well-known in some markets, allowing customers to quickly and simply share files with one another locally. It also has some of its own content like videos, music, and gif/wallpaper discovery, as many apps targeting developing markets cram in to encourage use.

Although we have a new administration here in the US, to our knowledge, the app is still set to be banned in just a few days following a decision from outgoing president Trump, though the order itself seems to have been removed. Notably, it wasn't included in the list of reversed orders on January 20th. The app has also been banned in India. It's pretty unlikely we'll get a response, but we have reached out to confirm if the order will still be enforced in the US this Friday.

Source: Trend Micro