Unpatched Android App with 1 Billion Downloads Threatens Spying, Malware
Reading Time: 1 Minute
Attackers can exploit SHAREit permissions to execute malicious code through vulnerabilities that remain unpatched three months after app makers were informed.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
SHAREit’s Bevy of Security Bugs
“We delved into the app’s code and found that it declares the broadcast receiver as ‘com.lenovo.anyshare.app.DefaultReceiver,’” Duan explained in the post. “It receives the action ‘com.ushareit.package.action.install_completed’ and Extra Intent then calls the startActivity() function.”
Researchers built a simple proof of concept (PoC) and found that “any app can invoke this broadcast component,” he said. “This shows arbitrary activities, including SHAREit’s internal (non-public) and external app activities.”
Moreover, third-parties also can gain temporary read/write access to the content provider’s data through a flaw in its FileProvider, Duan wrote. “Even worse, the developer specified a wide storage area root path,” he wrote. “In this case, all files in the /data/data/<package> folder can be freely accessed.”
In Trend Micro’s PoC, researchers included code that reads WebView cookies, which was used to write any files in the SHAREit app’s data folder. “In other words, it can be used to overwrite existing files in the SHAREit app,” Duan said of the attack.
See Also: Offensive Security Tool: ScareCrow
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
In this way malicious apps installed on a device running SHAREit can run take over the app to run custom code or install third-party apps without the user knowing, researchers found.
Man-in-the-Disk Mobile Threat
SHAREit also is susceptible to an MiTD attack, a variation on a man-in-the-middle attack identified by Check Point in 2018 that arises from the way the Android OS uses two types of storage—internal and external, the latter of which uses a removable SD card and is shared across the OS and all apps.
This type of attack allows someone to intercept and potentially alter data as it moves between Android external storage and an installed app, and is possible using SHAREit “because when a user downloads the app in the download center, it goes to the directory,” Duan wrote. “The folder is an external directory, which means any app can access it with SDcard write permission.”
Researchers illustrated this action in their POC by manually copying Twitter.apk in the code to replace it with a fake file of the same name. As a result, a pop-up of the fake Twitter app appeared on the main screen of the SHAREit app, Duan wrote. Reopening SHAREit caused the fake Twitter app to appear on the screen again, prompting the user to install it, an action that is successful, according to the post.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
See Also: SolarWinds Supply Chain Hack – The hack that shone a light on the gaps in the cybersecurity of governments and big companies
Softonic did not yet respond to an email by Threatpost seeking comment about Trend Micro’s discoveries, which aren’t the first time serious flaws were found in SHAREit. Two years ago researchers discovered two high-severity flaws in the app that allowed an attacker to bypass the file transfer application’s device authentication mechanism and ultimately download content and arbitrary files from the victim’s device.
Duan recommended that people regularly update and patch mobile operating systems and the apps themselves to maintain security on their devices, as well as “keep themselves informed by reading reviews and articles about the apps they download.”
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
Source: threatpost.com
(Click Link)