Published on December 2nd, 2019 📆 | 4033 Views ⚑0
Actively Exploited StrandHogg Vulnerability Affects Android OS
A newly discovered Android vulnerability is actively exploited by malware such as the BankBot banking Trojan and it impacts all versions of the operating system up to and including Android 10.
The new vulnerability discovered by Promon security researchers was named StrandHogg and it can be exploited without the need of rooting the device.
Once exploited, it allows malicious apps to camouflage as almost any legitimate app, with Promon finding that “all of the 500 most popular apps (as ranked by app intelligence company 42 Matters) are vulnerable to StrandHogg.”
Unique Android vulnerability
StrandHogg is “unique because it enables sophisticated attacks without the need for a device to be rooted, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device,” says Promon.
“This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire.”
What makes this security flaw even more dangerous is that, according to the researchers who spotted it, Google has not yet fixed the issue on any version of Android thus directly exposing any Android users to malware designed to abuse it.
Also, Lookout has identified 36 malicious apps that were actively exploiting the vulnerability, among them discovering variants of the BankBot banking Trojan that were observed as early as 2017.
While the list of malicious apps exploiting StrandHogg in the wild is not yet available, Promon’s researchers state that the malware sample they analyzed was distributed via malware droppers and downloaders that have since been removed from the Play Store by Google.
Can be used by both spies and thieves
Once they manage to infect a device with malware capable of exploiting StrandHogg, attackers can request any permission by disguising as legitimate apps to increase its data harvesting capabilities, or to trick victims into handing over sensitive information such as banking or login credentials via screen overlays.
Since the attackers can gain access to any Android permission, they can perform a wide range of data collecting actions allowing them to:
• Listen to the user through the microphone
• Take photos through the camera
• Read and send SMS messages
• Make and/or record phone conversations
• Phish login credentials
• Get access to all private photos and files on the device
• Get location and GPS information
• Get access to the contacts list
• Access phone logs
“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” Promon CTO Tom Lysemose Hansen said.
“The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected.”
According to Promon, there is no reliable method of detecting if StrandHogg was exploited on an Android device and there is no way to block such an attack.
Despite this, users might be able to notice various discrepancies while using their smartphones such as apps asking them to log in again, permission pop-ups without app names, apps asking for permissions they don’t need, typos and UI mistakes, as well as buttons that don’t work or don’t work as expected.
Also, “closing the app from the Recents screen can be effective – however, it is possible for an attacker to also circumvent this.”
More information on how this new vulnerability is used in ongoing attacks against Android devices is available in the Promon StrandHogg report published today.