An Android app that’s been downloaded over 1 billion times has flaws that can let attackers hijack app features or overwrite existing files to execute malicious code, or launch man-in-the-disk (MiTD) attacks on people’s devices, researchers discovered.
Attackers can exploit SHAREit permissions to execute malicious code through vulnerabilities that remain unpatched 3 months after app makers were told.
Trend Micro
The flaws are in an app called SHAREit, which lets Android app users share files between friends or devices.
They were identified & reported to the app maker 3 months ago by researchers at Trend Micro. However, the flaws remain unpatched, according to a report posted online Mon. Softonic, a company based in Barcelona, Spain, is the app’s developer & distributor.
Apps’ Permission
“We decided to disclose our research 3 months after reporting this since many users might be affected by this attack, because the attacker can steal sensitive data & do anything with the apps’ permission,” Echo Duan, a Mobile Threats Analyst for Trend Micro, wrote in the report. “It is also not easily detectable.”
Trend Micro also notified Google of the app’s issues, which lie in several flaws in its code that too easily give 3rd parties permissions to take over legitimate app features, overwrite existing app files or even take over Android storage shared by multiple apps to execute malicious code, he commented.
Security Bugs
“We delved into the app’s code & found that it declares the broadcast receiver as ‘com.lenovo.anyshare.app.DefaultReceiver,’” Duan explained in his post. “It receives the action ‘com.ushareit.package.action.install_completed’ & Extra Intent then calls the startActivity() function.”
Researchers built a simple proof of concept (PoC) & found that “any app can invoke this broadcast component,” he suggested. “This shows arbitrary activities, including SHAREit’s internal i.e., non-public & external app activities.”
Cookies
Moreover, 3rd-parties also can gain temporary read/write access to the content provider’s data through a flaw in its File Provider, Duan wrote. “Even worse, the developer specified a wide storage area root path,” he wrote. “In this case, all files in the /data/data/<package> folder can be freely accessed.”
In Trend Micro’s PoC, researchers included code that reads WebView cookies, which was used to write any files in the SHAREit app’s data folder. “In other words, it can be used to overwrite existing files in the SHAREit app,” Duan commented of the attack.
In this way malicious apps installed on a device running SHAREit can run take over the app to run custom code or install 3rd-party apps without the user knowing, researchers found.
Man-in-the-Disk
SHAREit also is susceptible to an MiTD attack, a variation on a man-in-the-middle attack identified by Check Point in 2018 that arises from the way the Android OS uses 2 types of storage—internal & external, the latter of which uses a removable SD card & is shared across the OS & all apps.
This type of attack allows someone to intercept & potentially alter data as it moves between Android external storage & an installed app & is possible using SHAREit “because when a user downloads the app in the download centre, it goes to the directory,” Duan wrote. “The folder is an external directory, which means any app can access it with SD card write permission.”
Fake File Twitter app
Researchers illustrated this action in their POC by manually copying Twitter.apk in the code to replace it with a fake file of the same name. As a result, a pop-up of the fake Twitter app appeared on the main screen of the SHAREit app, Duan wrote.
Reopening SHAREit caused the fake Twitter app to appear on the screen again, prompting the user to install it, an action that is successful, according to the post.
Not First Time
Trend Micro’s discoveries are not the 1st time serious flaws were found in SHAREit. 2 years ago, researchers discovered 2 high-severity flaws in the app that allowed an attacker to bypass the file transfer application’s device authentication mechanism & ultimately download content & arbitrary files from the victim’s device.
Duan recommended that people regularly update & patch mobile operating systems & the apps themselves to maintain security on their devices, as well as “keep themselves informed by reading reviews & articles about the apps they download.”
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/
