Android app with 1 billion downloads could hijack your phone — protect yourself now [updated]

Green skull on smartphone screen.
(Image credit: Shutterstock)

Have you ever used SHAREit? It's an Android and iOS app that lets you share files with other people who have the app installed on their phones, sort of a cross-platform version of Apple's AirDrop.

If so, then you might want to disable or uninstall the Android version of SHAREit, which has more than one billion downloads according to Google Play. 

A report from security firm Trend Micro yesterday (Feb. 15) said the Android version (but not the iOS version) of SHAREit can be used to steal personal information or even used as a backdoor to take over phones. 

SHAREit hasn't patched the flaws despite being notified of them three months ago, Trend Micro said.

"We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," wrote Trend Micro's Echo Duan and Jesse Chang in the report.

Trend Micro showed a screenshot of the app's Google Play page, which indicated the last update then had been made on Jan. 26, 2021. The page currently states the last update was on Feb. 9 to improve the user experience.

A very dangerous app

The flaws in SHAREit would have to be leveraged by a malicious app or rogue code that was already installed on the Android device, the report said. But because SHAREit lets users send Android app installers to each other, an attacker might find that easy to achieve.

"The vulnerabilities can be abused to leak a user's sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app," said the Trend Micro report. "They can also potentially lead to Remote Code Execution (RCE)."

The SHAREit app can directly download and install games from its own app store, outside the Google Play store. But because the connection to SHAREit's app store is not secure, it would be trivial for an attacker to stage a man-in-the-middle attack to inject malicious code into the connection and redirect the link so that your phone downloads malware.

A malicious link could even be embedded in a website. Trend Micro tried that out and found that the attack didn't work in Google Chrome because the browser detected suspicious behavior. But it's possible the attack might work in other Android browsers.

There's still another avenue of attack. SHAREit saves downloaded games into an unprotected directory that any other Android app can access and write to. Trend Micro's team showed they could install a malicious version of Twitter using this process.

How to protect yourself from this flaw

To make sure you're safe from SHAREit flaws and similar attacks, go into Settings > Apps > Special app access > Install unknown apps and see how many apps have the power to install other apps on their own. Turn off that permission for every app but Google Play.

You'll also want to be running one of the best Android antivirus apps. It'll catch almost everything that rogue apps will try to install.

Who owns this app?

Interestingly, SHAREit seems to have begun life as a Lenovo app pre-installed on Windows laptops and Lenovo phones. The Android package name is still "com.lenovo.anyshare.gps," but Lenovo appears to have stopped supporting the app in 2017

A Lenovo security advisory from 2016 cited security issues with SHAREit, stating that "users with older Android versions may be vulnerable to remote code execution, or a UXSS attack and users with any Android version may be vulnerable to an intent scheme attack."

Those sound a lot like the flaws cited by Trend Micro yesterday. A separate Lenovo security advisory from 2016 said SHAREit could result in "remote browsing of file system, and unauthorized access of files on Windows."

It's not clear how ownership of the app passed from Lenovo to a company called Smart Media4U Technology Pte. Ltd., which is registered in Singapore but appears to have operations in India and Malaysia as well. 

Tom's Guide has reached out to both Smart Media4U Technology and Lenovo seeking comment, and we will update this story when we receive replies.

Update: Lenovo comments

In response to our query, a Lenovo spokesperson provided Tom's Guide with this statement.

"SHAREit is a product produced, distributed and maintained by the company uSHAREit. The SHAREit app, initially called 'anyshare,' was developed by teams at Lenovo, but was spun off in 2015 as part of a wider divestment of non-core businesses."

Update: SHAREit responds

The SHAREit company responded Feb. 19 to our query.

"The security of our app and our users’ data is of utmost importance to us," read a statement from the company. "We are fully committed to protecting user privacy and security and adapting our app to meet security threats.

"On February 15, 2021, we became aware of a report by Trend Micro about potential security vulnerabilities in our app. We worked quickly to investigate this report, and on February 19, 2021, we released a patch to address the alleged vulnerabilities."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.