An Android application downloaded more than one billion times contains unpatched vulnerabilities that the app maker has failed to fix for more than three months.
The vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, Echo Duan, a mobile threats analyst for security firm Trend Micro, said in a report on Monday.
The root cause of the security flaws is the lack of proper restrictions on who can tap into the application's code.
Duan said that malicious apps installed on a user's device, or attackers who perform a person-in-the-middle network attack, can send malicious commands to the SHAREit app and hijack its legitimate features to run custom code, overwrite the app's local files, or install third-party apps without the user's knowledge.
Furthermore, the app is also vulnerable to so-called Man-in-the-Disk attacks, a type of vulnerability first described by Check Point in 2018 that revolves around the insecure storage of sensitive app resources in a location of the phone's storage space shared with other apps — where they can be deleted, edited, or replaced by attackers.
"We reported these vulnerabilities to the vendor, who has not responded yet," Duan said today.
"We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," he added, while also noting that any attacks would also be hard to detect from a defender's perspective.
Contacted via email, a SHAREit spokesperson did not return a request for comment before this article's publication.
Duan said he also shared his findings with Google but did not elaborate on the Play Store owner's response.
On its website, SHAREit developers claim their apps are used by 1.8 billion users across more than 200 countries worldwide. The vulnerabilities do not impact the SHAREit iOS app, which run on a different codebase.
Updated on February 19 to add that SHAREit has emailed ZDNet today to say they have patched the vulnerability reported by Trend Micro.