One of the many security researchers' job, is to leave no rocks unturned. Bugs can hide from the surface, and they know this fact very well.
This time, researchers at the security firm Trend Micro reported that the Android version of 'SHAREit', which has more than one billion downloads, contains unpatched vulnerabilities that the app's developer failed to fix in more than three months.
SHAREit is a popular mobile app from developer Smart Media4U Technology Pte.Ltd., which allows users to share files with friends or between personal devices.
It receives widespread praise because of its easiness of use, its speed, and its support for all types of files, What's more, SHAREit also offers free online feeds to include movies, videos, music, wallpapers, abd GIFs. SHAREit also added its own media player, which helps users manage their own media.
But with that widespread praise, the unpatched bugs mean that the app is posing risks to its more than 1 billion users.
According to a website post by Trend Micro:
The cause of the bugs, is the lack of proper restrictions on who can tap into the app's code.
According to the researchers at Trend Micro, malicious apps installed on a users' device, or attackers who perform a man-in-the-middle network attack, can send malicious commands to the SHAREit app, in order to hijack the app's legitimate features to run custom commands.
Hackers can also overwrite the app's local files, or install third-party apps without the user's knowledge.
The app is also vulnerable to so-called man-in-the-disk attacks, a type of vulnerability that revolves around the insecure storage of sensitive app resources in a location of the phone's storage space shared with other apps.
"In this case, all files in the /data/data/
What's more, tha app also provides a feature that can install an APK files.
In other words, when exploited, the bugs are devastating.
Making things worse, Trend Micro has notified the developer of the app about the vulnerabilities, but received no respond.
SHAREit's developer did not respond to Trend Micro's inquiry for more than three months.
"We reported these vulnerabilities to the vendor, who has not responded yet," Trend Micro's post continued.
"We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data."
At this time, SHAREit has over 1 billion downloads in Google Play and has been named as one of the most downloaded applications in 2019.
Google has also been informed of these vulnerabilities.
It should be noted that the bugs only affect SHAREit's Android app, and don't impact SHAREit on iOS.