In response to our query, a Lenovo spokesperson provided Tom's Guide with this statement.
Micro android shareit update#
Tom's Guide has reached out to both Smart Media4U Technology and Lenovo seeking comment, and we will update this story when we receive replies. Ltd., which is registered in Singapore but appears to have operations in India and Malaysia as well. It's not clear how ownership of the app passed from Lenovo to a company called Smart Media4U Technology Pte. A separate Lenovo security advisory (opens in new tab) from 2016 said SHAREit could result in "remote browsing of file system, and unauthorized access of files on Windows." Those sound a lot like the flaws cited by Trend Micro yesterday.
Micro android shareit code#
The Android package name is still "," but Lenovo appears to have stopped supporting the app in 2017 (opens in new tab).Ī Lenovo security advisory from 2016 (opens in new tab) cited security issues with SHAREit, stating that "users with older Android versions may be vulnerable to remote code execution, or a UXSS attack and users with any Android version may be vulnerable to an intent scheme attack." Interestingly, SHAREit seems to have begun life as a Lenovo app pre-installed on Windows laptops and Lenovo phones. It'll catch almost everything that rogue apps will try to install. You'll also want to be running one of the best Android antivirus apps. Turn off that permission for every app but Google Play.
Micro android shareit install#
To make sure you're safe from SHAREit flaws and similar attacks, go into Settings > Apps > Special app access > Install unknown apps and see how many apps have the power to install other apps on their own. Trend Micro's team showed they could install a malicious version of Twitter using this process. SHAREit saves downloaded games into an unprotected directory that any other Android app can access and write to. But it's possible the attack might work in other Android browsers. Trend Micro tried that out and found that the attack didn't work in Google Chrome because the browser detected suspicious behavior. But because the connection to SHAREit's app store is not secure, it would be trivial for an attacker to stage a man-in-the-middle attack to inject malicious code into the connection and redirect the link so that your phone downloads malware.Ī malicious link could even be embedded in a website. The SHAREit app can directly download and install games from its own app store, outside the Google Play store.
"They can also potentially lead to Remote Code Execution (RCE)." "The vulnerabilities can be abused to leak a user's sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app," said the Trend Micro report. But because SHAREit lets users send Android app installers to each other, an attacker might find that easy to achieve. The flaws in SHAREit would have to be leveraged by a malicious app or rogue code that was already installed on the Android device, the report said. The page currently states the last update was on Feb. Trend Micro showed a screenshot of the app's Google Play page, which indicated the last update then had been made on Jan.
0 kommentar(er)
