Android app with 1 billion downloads could hijack your phone — protect yourself now [updated]
Android app with i billion downloads could hijack your phone — protect yourself now [updated]
Accept y'all ever used SHAREit? Information technology'southward an Android and iOS app that lets you share files with other people who accept the app installed on their phones, sort of a cantankerous-platform version of Apple's AirDrop.
If so, then you might want to disable or uninstall the Android version of SHAREit, which has more than than one billion downloads according to Google Play.
- Android app with ten million installs becomes adware — what to do
- The best Android antivirus apps
- Plus: LastPass Gratuitous forcing you to choose between mobile, desktop: What to know
A report from security firm Trend Micro yesterday (Feb. 15) said the Android version (but non the iOS version) of SHAREit can be used to steal personal information or even used as a backdoor to take over phones.
SHAREit hasn't patched the flaws despite beingness notified of them three months ago, Trend Micro said.
"Nosotros decided to disclose our research three months after reporting this since many users might be affected by this assault because the attacker tin can steal sensitive data," wrote Trend Micro's Repeat Duan and Jesse Chang in the study.
Trend Micro showed a screenshot of the app's Google Play folio, which indicated the last update then had been made on Jan. 26, 2021. The page currently states the last update was on February. 9 to improve the user experience.
A very dangerous app
The flaws in SHAREit would have to be leveraged by a malicious app or rogue code that was already installed on the Android device, the report said. Merely considering SHAREit lets users transport Android app installers to each other, an attacker might observe that easy to attain.
"The vulnerabilities can be abused to leak a user's sensitive data and execute arbitrary code with SHAREit permissions by using a malicious lawmaking or app," said the Trend Micro study. "They can besides potentially lead to Remote Code Execution (RCE)."
The SHAREit app tin can directly download and install games from its own app store, outside the Google Play shop. But because the connectedness to SHAREit'southward app store is not secure, it would be trivial for an aggressor to phase a man-in-the-middle attack to inject malicious code into the connection and redirect the link so that your phone downloads malware.
A malicious link could even be embedded in a website. Trend Micro tried that out and found that the attack didn't work in Google Chrome because the browser detected suspicious beliefs. But information technology's possible the assail might work in other Android browsers.
There's still another avenue of attack. SHAREit saves downloaded games into an unprotected directory that any other Android app tin access and write to. Trend Micro's team showed they could install a malicious version of Twitter using this process.
How to protect yourself from this flaw
To make certain you're condom from SHAREit flaws and similar attacks, go into Settings > Apps > Special app access > Install unknown apps and see how many apps accept the power to install other apps on their own. Turn off that permission for every app but Google Play.
You lot'll also want to exist running one of the best Android antivirus apps. Information technology'll catch nearly everything that rogue apps will attempt to install.
Who owns this app?
Interestingly, SHAREit seems to have begun life every bit a Lenovo app pre-installed on Windows laptops and Lenovo phones. The Android package proper noun is still "com.lenovo.anyshare.gps," only Lenovo appears to have stopped supporting the app in 2017.
A Lenovo security informational from 2016 cited security issues with SHAREit, stating that "users with older Android versions may be vulnerable to remote code execution, or a UXSS assail and users with any Android version may exist vulnerable to an intent scheme set on."
Those audio a lot similar the flaws cited by Tendency Micro yesterday. A split Lenovo security advisory from 2016 said SHAREit could effect in "remote browsing of file system, and unauthorized access of files on Windows."
It'due south not clear how ownership of the app passed from Lenovo to a company called Smart Media4U Technology Pte. Ltd., which is registered in Singapore but appears to have operations in India and Malaysia as well.
Tom's Guide has reached out to both Smart Media4U Technology and Lenovo seeking comment, and we volition update this story when we receive replies.
In response to our query, a Lenovo spokesperson provided Tom'south Guide with this statement.
"SHAREit is a product produced, distributed and maintained by the company uSHAREit. The SHAREit app, initially called 'anyshare,' was adult by teams at Lenovo, but was spun off in 2015 equally role of a wider divestment of non-core businesses."
The SHAREit company responded Feb. 19 to our query.
"The security of our app and our users' information is of utmost importance to us," read a argument from the company. "We are fully committed to protecting user privacy and security and adapting our app to meet security threats.
"On February 15, 2021, we became aware of a report by Trend Micro near potential security vulnerabilities in our app. We worked quickly to investigate this written report, and on February nineteen, 2021, we released a patch to address the alleged vulnerabilities."
Source: https://www.tomsguide.com/news/shareit-app-android-flaws
Posted by: sheppardonthe1952.blogspot.com
0 Response to "Android app with 1 billion downloads could hijack your phone — protect yourself now [updated]"
Post a Comment