An Android app that uses a significant portion of the world’s population also has glaring security flaws that would allow a smart hacker to steal a user’s data or even hijack the app’s operations using arbitrary code.
CompartirIt, which claims to have more than 1 billion worldwide downloads are the product of the Singapore-based developer Smart Media4U. Its main feature is peer-to-peer file sharing, which allows users to exchange photos, music, videos, and more.ifs, etc. The app, which has been on an upward trajectory over the past few years, has done just that gained recognition for its rapid growth and global reach.
But apparently, it also has software vulnerabilities that would allow a malicious actor to easily filter a user’s data or even execute arbitrary code abusing ShareI.permissions t, seconds a new report of Trend Micro.
The report shows that one of the main vulnerabilities in the app comes from how it shares information and permissions with other apps. In fact, due to the way Android phones are made are configured to share information between different programs, depending on the platform a history of bad actors trying to exploit communication between applications and take advantage of it malicious purposes. Specifically, “bad applications”Or programs secretly managed by a bad actor can look for ways to access data in legitimate applications.
G / O Media may receive a commission
share it is configured to open the door to other applications when it comes to exchanging data through its content provider interface. According to the researchers, these vulnerabilities could allow “any third-party entity” to gain temporary read / write access to the [app’s] content provider data. “This would basically allow an application hijack to run” custom code, overwrite local application files, or install third-party applications without the user’s knowledge. ” ZDNet notes.
Trend Micro researchers discovered this vulnerability by doing it themselves. By manipulating how Android ecosystem apps talk to each other, they found that ShareIt the app would share too much information, revealing a user’s “arbitrary activities, including ShareIt’s internal (non-public) and external application activities. “In many ways, these security flaws could ultimately be abused by filtering sensitive data from a user and running arbitrary code with ShareIt permissions,” the researchers write.
Probably the worst of all the report is the fact that Trend Micro says it shared these security issues with Smart Media4U about three months ago and that apparently the company did nothing. The report concludes:
We have reported these vulnerabilities to the provider, which has not yet responded. We decided to disclose our search three months after reporting it, as many users may be affected by this attack, because the attacker can steal sensitive data and do anything with the permission of the applications.
This isn’t the first time I’ve shared ShareIt either has been marked as a security risk. The application was blacklisted in the United States in January, when an executive order from Trump’s White House, which was vaguely worded, categorized it as one of several “Chinese connected” applications of which Americans should stay away for fear of where their data might come from. As he walked out the door, Trump issued a number of orders targeting the Asian technology sector, most of which appeared to be designed to antagonize and isolate Chinese companies. The order proclaims:
The United States has estimated that several Chinese connected software applications automatically capture large expanses of information from millions of U.S. users, including confidential personally identifiable information and private information. At this time, action must be taken to address the threat of these Chinese connected software applications …
A ton of Americans are unlikely to actually use ShareIt. Industry outlets it seems to show that most of the app’s user base is in the Middle East, Africa and Asia (it was recently banned in India, where the government banned military service personnel from using the application for data security reasons). However, if you have downloaded ShareIt and using it for some reason, it might be better to rethink that decision.
We have contacted Smart Media4U to comment and we will update this story if we receive news.