1 billion downloads and Android apps can hijack your phone — Protect yourself Now [Update]

1 billion downloads and Android apps can hijack your phone — Protect yourself Now [Update]

Have you used SHAREit, an Android and iOS app that allows you to share files with others who have the app installed on their phones, sort of a cross-platform version of Apple's AirDrop?

If so, you may want to disable or uninstall the Android version of SHAREit

Yesterday (February 15), security firm Trend Micro reported that the Android version of SHAREit (not the iOS version) could be used as a backdoor to steal personal information or take over phones

SHAREit has not been patched, despite being notified about the flaw three months ago, Trend Micro said

"Because attackers can steal sensitive data and many users could be affected by this attack, we decided to publish our investigation three months after this report," Trend Micro's Echo Duan and Jesse Chang wrote in the report

Trend Micro showed a screenshot of the app's Google Play page, showing that the last update at the time was made on January 26, 2021 The current page states that the last update to improve the user experience was made on February 9

The SHAREit flaw must be leveraged by malicious apps and malicious code already installed on Android devices, the report states However, since SHAREit allows users to send Android app installers to each other, attackers may easily be able to do so

"By exploiting this vulnerability, malicious code or apps could be used to compromise users' sensitive data or execute arbitrary code with SHAREit's privileges It could also lead to remote code execution (RCE)"

The SHAREit app can download and install games directly from its own app store outside of the Google Play store However, since the connection to the SHAREit app store is not secure, it is trivial for an attacker to launch a man-in-the-middle attack to inject malicious code into the connection and redirect the link so that the phone downloads malware

Malicious links can also be embedded in websites Trend Micro tested this attack on Google Chrome and found that the attack did not work because the browser detected suspicious behavior However, it is possible that this attack could work on other Android browsers

The means of attack still exists: SHAREit stores downloaded games in an unprotected directory, which other Android apps can access and write to The Trend Micro team has shown that this process can be used to install a malicious version of Twitter

To ensure protection against SHAREit flaws and similar attacks, go to Settings > Apps > Access to Special Apps > Install Unknown Apps to see how many apps have permission to install other apps on their own google play Turn off that permission for all apps except

We also recommend running one of the best Android antivirus apps It will catch almost anything a rogue app tries to install

Interestingly, SHAREit appears to have originated as a Lenovo app preinstalled on Windows laptops and Lenovo phones, although the Android package name is still "comlenovoanysharegps" Lenovo appears to have stopped supporting this app in 2017

A 2016 Lenovo security advisory cited security issues with SHAREit, stating that "users with older Android versions may be vulnerable to remote code execution, or UXSS attacks, and any Android version users may be vulnerable to intentional scheme attacks"

These are similar to the flaws cited by Trend Micro yesterday; another Lenovo security advisory in 2016 said SHAREit can cause "remote browsing of file systems, unauthorized access to files on Windows" "

It stated

The app is owned by a company called Smart Media4U Technology Pte Ltd from Lenovo, which is registered in Singapore but also appears to have operations in India and Malaysia

Tom's Guide has contacted both Smart Media4U Technology and Lenovo for comment

In response to our inquiry, a Lenovo spokesperson provided the following statement to Tom's Guide

"SHAREit is a product manufactured, distributed and maintained by uSHAREit the SHAREit app was initially called 'anyshare' and developed by a team at Lenovo, but was separated in 2015 as part of a broader sale of non-core businesses"

SHAREit responded to our inquiry on February 19

"The security of our apps and our users' data is of paramount importance to us We are committed to protecting the privacy and security of our users and adapting our apps to address security threats"

"On February 15, 2021, we became aware of a report by Trend Micro Inc regarding potential security vulnerabilities in our apps We worked quickly to investigate this report and on February 19, 2021, we released a patch to address the alleged vulnerability"

Categories