ShareIt requires users to give it access to all of the storage and media of the users, including the camera, microphone, as well as location.
The report by Trend Micro also said that the private storage of ShareIt is open to the world.
ShareIt app: Cyber security company Trend Micro has said that the ShareIt Android app, which has over 100 crore downloads on the Google Play Store, has several security flaws. As per the company, the app has vulnerabilities that can be exploited and sensitive data of users can be leaked because of it. Arbitrary codes can also be executed with the app’s permission due to these vulnerabilities. The app had originally been developed by lenovo and then eventually spun off into its own separate company. But for some time, it came pre-installed in Lenovo phones.
ShareIt requires users to give it access to all of the storage and media of the users, including the camera, microphone, as well as location. Apart from this, the app also can delete other apps, create accounts and set passwords and run at startup among much more, and it also has complete network access. Remote code can be executed if the app is compromised. However, Trend Micro has said that it brought these issues to the notice of ShareIt three months ago, but the company has yet to do anything about it.
ShareIt became a very popular sharing platform, with 1.8 billion global users across various platforms, however, it has also diversified into a platform offering infinite online videos, millions of songs in high quality and having a social network-like media section. It also has a game store and a retail section to download movies. ShareIt also has a website which also does not default to HTTPS.
The report by Trend Micro also said that the private storage of ShareIt is open to the world, and along with it, it has its own Android app installer. While such an installer needs to be protected with private storage, ShareIt does not have that, meaning that once the install package is downloaded in the public storage, an attacker can swap the package with the malicious one after it has been downloaded but before it is installed. This would lead users to believe that they were downloading a trusted app, but would end up installing a malicious one instead.