StrandHogg vulnerability enables malicious software to masquerade as trusted Android apps
Dec 05 2019
Once exploited, it allows malicious apps to camouflage as nearly any legitimate app, with Promon finding that "all of the 500 most popular apps (as ranked by app intelligence company 42 Matters) are vulnerable to StrandHogg".
"The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected", noted Promon CTO Tom Lysemose Hansen. The vulnerability exploits the multitasking process of the operating system. That omission makes it hard for people to know if they are or were infected.
Google representatives did not reply to questions on when the flaw will likely be patched, what number of Google Play apps have been caught exploiting it, or what number of finish customers have been affected.
"We appreciate the researchers ['] work, and have suspended the potentially harmful apps they identified".
"This exploit is based on an Android control setting called "taskAffinity" which allows any app - including malicious ones - to freely assume any identity in the multitasking system they desire".
Permission popups that do not comprise an app identify.
Permissions asked from an app that shouldn't require or need the specific permissions it asks for (considering the functionality of the app). Examples of this include Baidu's Hong Kong Disneyland app. So, when the user clicks a trusted app's icon on the screen, a malicious version instead starts.
This malware was mainly used to go to banks in several countries, and withdraw money from bank accounts. "Promon's partner gave Promon a sample of the suspected malware to investigate", Promon researchers explained. Last year, AP reported that Google had been continuing to store user location data, even in cases where users had turned off the "Location History' feature".
"Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware".
Monday's post didn't say how many financial institutions were targeted in total.
Malware using the StrandHogg flaw was not found on Google Play but was installed on target devices through several dropper apps/hostile downloaders distributed through Google Play. While Google has removed them, it's not uncommon for new malicious apps to make their way into the Google-operated service.
Readers are once again reminded to be highly suspicious of Android apps available both in and outside of Google Play.
Also, "closing the app from the Recents screen can be effective - however, it is possible for an attacker to also circumvent this".