Enlarge / You can't argue with that green "safe" shield. (credit: ShareIt )

Trend Micro says it has found "several" security flaws in the popular Android app ShareIt . ShareIt has been downloaded over a billion times from the Play Store, and, according to App Annie, was one of the 10 most globally downloaded apps in 2019. The app was originally developed by Lenovo (it has since spun off into its own company) and for a time was pre-installed on Lenovo phones.

The report says ShareIt's vulnerabilities can "be abused to leak a user's sensitive data and execute arbitrary code with ShareIt permissions." ShareIt's permissions, as a local file-sharing app, are pretty extensive. According to the Play Store permissions readout, ShareIt requests access to the entire user storage and all media, the camera and microphone, and location. It can delete apps, run at startup, create accounts and set passwords, and do a whole lot more. It also has full network access. Trend Micro says compromising the app can lead to remote code execution. The security firm says it shared these vulnerabilities with ShareIt three months ago, but the company has yet to issue patches.

ShareIt's incredible success of a billion Android downloads and 1.8 billion users worldwide (there are also iOS, Windows, and Mac apps) has led to what looks like an incredible amount of app bloat. The app was considered one of the best for local file sharing, but today the Play Store listing shows an app that offers "Infinite Online Videos," "Tens of millions of high-quality songs," "GIFs, Wallpapers & Stickers," a "popular" media section that looks like a social network, a game store, a retail movie download section, COVID-19 check-in activity and case statistics, and what looks like its own form of currency. ShareIt's website (which, just like the app, does not default to HTTPS) says the service is "now a leading content platform" and popular in Southeast Asia, South Asia, the Middle East, Africa, and Russia.