PSA: If you use ShareIt on Android, you should probably look for alternatives
If you’re using the ShareIt app on your phone, you may want to uninstall it right away. Cybersecurity giant Trend Micro has discovered glaring security vulnerabilities in the file-sharing app that can be “abused to leak a user’s sensitive data and execute arbitrary code with ShareIt permissions.“
In a report on the matter, Trend Micro has revealed (via Ars Technica) that ShareIt has access to a myriad of permissions on Android due to the functionality it offers. The app can access the entire storage and all media, use the camera and microphone, access location info, and much more. It can even delete other apps, run at startup, create accounts, and set passwords. Furthermore, ShareIt also has complete network access. Due to this extensive list of permissions, compromising the app can help attackers gain almost complete access to your phone and all your sensitive information. It also lets attackers execute malicious code remotely.
Elaborating on one of the vulnerabilities, Ars Technica reveals that ShareIt has one common Android app vulnerability that can give attackers read/write access to all of its files. The publication notes: “Android prides itself on intra-app communication, partly because any app can create a content provider and provide its content and services to other apps. If Gmail wants to attach a file to an email, it can do that by showing a list of available file-content providers installed on your phone (it’s basically an “open with” dialog box), and the user can pick their favorite file manager, navigate through their storage, and pass the file they want to Gmail. It’s up to developers to sanitize these cross-app capabilities and only expose the necessary file manager capabilities to Gmail and other apps.”
However, the developers behind ShareIt haven’t given much thought to limit the app’s content-provider capabilities, which can give attackers access to all files in ShareIt’s “private” directory. In effect, this vulnerability allows attackers to call on ShareIt’s file-content provider and pass it a file path to get access to all of its data files. This allows third-party apps to edit the data ShareIt uses to run, including the app cache generated during install and runtime. Trend Micro claims that “an attacker may craft a fake [app cache] file, then replace those files via the aforementioned vulnerability to perform code execution.”
Since ShareIt also features an Android app installer, it is also susceptible to a “Man-in-the-disk” attack. Due to the vulnerability mentioned above, attackers have the ability to swap out install packages with a malicious app as soon as they’re downloaded. This could lead users to install malicious apps on their devices unknowingly. Furthermore, ShareIt’s game store has the ability to download app data over unsecured HTTP. This can be subject to a “Man-in-the-middle” attack. As Ars Technica explains, “ShareIt registers itself as the handler for any link that ends its domains, like “wshareit.com” or “gshare.cdn.shareitgames.com,” and it will automatically pop up when users click on a download link. Most apps force all traffic to HTTPS, but ShareIt does not. Chrome will shut down HTTP download traffic, so this would have to be done through a Web interface other than the main browser.”
Trend Micro has already reported the vulnerabilities to ShareIt, but its developers haven’t released any patches to address the issues so far. We’d recommend uninstalling the app until the developers issue a fix. Until then, you can use Google’s Files app for all your local file-sharing needs.