SHAREit, an Android application which has been downloaded more than a billion times, contains unpatched security vulnerabilities that the app maker has failed to fix for more than three months.

SHAREit is a mobile app that allows for file sharing between friends or personal devices. 

According to a Trend Micro  report, the vulnerabilities in the application can be abused to leak a user's sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app. Echo Duan and Jesse Chang at Trend Micro said the vulnerability could potentially lead to Remote Code Execution (RCE). The researchers notified Google of the app's vulnerabilities. 

"We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable," said the analysts. 

Burak Agca, Engineer at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains, “As mobile devices such as smartphones and tablets become more essential to our everyday lives, their native security capabilities are lagging behind. For that reason, they're becoming the primary target for threat actors."

According to Agca, Google has removed user access to the underlying Android operating system and now provides organizations a way to manage mobile fleets with Android Enterprise. "However, the attackers still have a window of opportunity presented by the gap between disclosure of app or device vulnerabilities and delivery of a patch to address the issue. Without mobile security in place, it's impossible for organizations to address this gap. They would need to rely on their employees to run updates the moment they're available and that’s not a good strategy if you want to keep your modern endpoint estate secure.

"In addition to detecting outright malicious apps, IT and security teams also need a way to run mobile app risk analysis prior to provisioning apps to the employee base. This incident is a classic example of how a vulnerable app can lead to the entire mobile device being compromised," Agca says. "At the very least, this could lead to corporate data loss. However, a more advanced attack could compromise even more. This is another clear signal to IT leaders that they need to do more than just manage devices in order to get full visibility across their mobile estates. Mobile EDR is the key for teams that want to understand and mitigate against risks in the current threat landscape," 

Agca adds, "Mobile security solutions provide visibility into the vulnerabilities and risky behaviors present in mobile apps prior to sanctioning them for corporate use. Users need confidence in the way their data and privacy is handled. There will be more app vendors implementing real world threat protection measures within their apps to gain users trust and increase adoption. Threat actors have become skilled at chaining mobile app and operating system vulnerabilities together to create serious security issues as highlighted here. This opens up the conversation about mobile security across a number of different attack vectors now available to threat actors on mobile.

"Social engineering, phishing attacks, vulnerable devices and malicious apps are all security issues that relate to mobile as well as PC. However, many organizations are still recognizing that mobile security should be treated with equal importance as part of the greater security strategy. Detection of all the events that led to a compromise of users data is critical in securing modern endpoint environments," Agca says. 

For detailed findings. please visit