A vulnerability is found on the popular Android app SHAREit, a mobile that allows users to share files with friends or between personal devices. The vulnerability allows an adversary to run malicious code on the smartphone containing the app. This vulnerability is reported by TrendMicro on Monday and below is the reaction from cybersecurity experts.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Over a billion users being exposed to sensitive data leaks due to reported security bugs is a recipe for disaster. What was once a work productivity tool has changed into potential malware, connected to an unknown number of company networks. While it might seem harsh, a blanket ban of the software is necessary until a complete overhaul of the code can be carried out, along with several fixes to ensure security and stability. Vulnerabilities such as the ones identified in SHAREit’s platform can lead to remote code execution (RCE), a serious cyber threat that will allow an attacker to access devices and manipulate them for their own nefarious purposes. At its core, several holes that make RCE possible were introduced at the developer level, such as poor access control allowing third parties to have temporary read/write access to potentially sensitive data, and view non-public SHAREit activity logs. The developer also specified a wide storage area root path, essentially opening up a large area of a device\’s storage (and anything sensitive that may be stored there) to attackers who can comb through and take what they want.</p> <p> </p> <p>These vulnerabilities are not rocket science, nor are they opportunities that only a mastermind threat actor could exploit. They are the result of poor security hygiene in code, and we need to give developers the tools and knowledge required to stop using poor coding patterns as they write.</p> <p> </p> <p>Attackers rely on unpatched, buggy software for quick wins, and this is a potentially enormous playing field. More experienced, security-aware developers would be able to identify access points that are unnecessarily generous, or have the potential to expose any sensitive information from the app itself, or its users. Trend Micro is right to suggest that developers must be more actively involved and security-aware; the right upskilling pathway is essential to stop relatively simple errors like this from turning a useful app into malware. Ignoring the warnings of security researchers is never a great idea, and making security bugs a patching priority is essential. Of course, if the bugs weren\’t introduced in the first place, having to navigate the logistics of an emergency security patch wouldn\’t be necessary.</p>
<div> <p>It’s disappointing that the application developers failed to fix these issues after such a long period, especially given the severity of the issues. Remote Code Execution (RCE) vulnerabilities are amongst the most critical in terms of risk, as they can lead to total compromise of the device on which they are present. It goes without saying that the disclosure if these issues in this manner and the lack of responsiveness from the developers offers very poor optics. </p> <p> </p> <p>General security recommendations are usually centred around ensuring updates/patches are in place – however in this case since no patch is available, therefore users need to consider avoiding the app altogether or maybe even contend with the possibility that their device may have already been compromised.</p> </div>
<p><span lang=\"EN-US\">An alarming number of mobile apps are developed by novice coders or outsourced third parties with little to no forethought around security. Worse, there is almost no way for the average user to verify the safety of the apps they use. In general, large companies tend to have better security practices in app development and testing, but it’s unfortunately not a guarantee. Developers looking to ensure the security of their users should prefer to leverage functionality built into the mobile platforms themselves, whether iOS or Android rather than build themselves if possible. Users should maintain a healthy scepticism of the security protections of mobile apps and be wary of what data they share through them, especially those from smaller developers’ absent evidence of security best practices followed or independent third-party evaluation.</span></p>
<p>As mobile devices such as smartphones and tablets become more essential to our everyday lives, their native security capabilities are lagging behind. For that reason, they\’re becoming the primary target for threat actors.</p> <p> </p> <p>Google has removed user access to the underlying Android operating system and now provides organisations a way to manage mobile fleets with Android Enterprise. However the attackers still have a window of opportunity presented by the gap between disclosure of app or device vulnerabilities, and delivery of a patch to address the issue. Without mobile security in place, it\’s impossible for organisations to address this gap. They would need to rely on their employees to run updates the moment they\’re available and that’s not a good strategy if you want to keep your modern endpoint estate secure.</p> <p> </p> <p>In addition to detecting outright malicious apps, IT and security teams also need a way to run mobile app risk analysis prior to provisioning apps to the employee base. This incident is a classic example of how a vulnerable app can lead to the entire mobile device being compromised. At the very least, this could lead to corporate data loss. However, a more advanced attack could compromise even more.</p> <p> </p> <p>This is another clear signal to IT leaders that they need to do more than just manage devices in order to get full visibility across their mobile estates. Mobile EDR is the key for teams that want to understand and mitigate against risks in the current threat landscape. Mobile security solutions provide visibility into the vulnerabilities and risky behaviours present in mobile apps prior to sanctioning them for corporate use.Users need confidence in the way their data and privacy is handled. There will be more app vendors implementing real world threat protection measures within their apps to gain users trust and increase adoption.</p> <p> </p> <p>Threat actors have become skilled at chaining mobile app and operating system vulnerabilities together to create serious security issues as highlighted here. This opens up the conversation about mobile security across a number of different attack vectors now available to threat actors on mobile.</p> <p> </p> <p>Social engineering, phishing attacks, vulnerable devices and malicious apps are all security issues that relate to mobile as well as PC. However, many organisations are still recognizing that mobile security should be treated with equal importance as part of the greater security strategy. Detection of all the events that led to a compromise of users data is critical in securing modern endpoint environments.</p>