Unpatched security flaw found in SHAREit for Android devices

Security researchers at Trend Micro released a report on Monday, February 15, explaining security vulnerabilities in the Android version of cross-platform file-sharing app SHAREit, which has racked up over a billion downloads.

According to the report, the vulnerabilities in SHAREit "can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app. They can also potentially lead to Remote Code Execution (RCE)."

SHAREit is also said to be susceptible to Man-in-the-Disk attacks. ZDNet, in its report, said these types of attacks – first written about by cybersecurity firm Check Point in 2018 – work around "insecure storage of sensitive app resources in a location of the phone's storage space shared with other apps – where they can be deleted, edited, or replaced by attackers. "

Google has been informed of these vulnerabilities. 

The researchers have disclosed their findings 3 months after reporting this to the vendor of the application, who has not responded to the disclosure with any comment.

The researchers opted to make the research public "since many users might by affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable."

The SHAREit vulnerabilities do not appear to affect the iOS version of the app. – Rappler.com