StrandHogg Malware Ravages Fully Patched Android Devices, Impersonates Popular Apps

Image Getty Images

It's based on an Android control setting called 'taskAffinity' that allows any app (malicious or not) to disguise as any other app on the device.

The list of possible things hackers can have access to as noted by Promon researchers include listening to the user's conversations and even recording them, read and send messages, take photos, phish login credentials, access photos and files.

Also, Lookout has identified 36 malicious apps that were actively exploiting the vulnerability, among them discovering variants of the BankBot banking Trojan that were observed as early as 2017. Moreover, all the top 500 most popular apps are at risk of this vulnerability.

CYBER CRIMS can craft apps to steal bank login details thanks to a major security weakness in Android discovered by security firm Promon. Instead, the malicious apps were installed on devices as second-stage downloads. Since researchers in the security field have been knowing about the StrandHogg proof-of-concept model ever since 2015, the exploit isn't at all new. Promon is asking the vulnerability "StrandHogg", an previous Norse time period for the Viking tactic of raiding coastal areas to plunder and maintain folks for ransom.

StrandHogg is a bug in the OS component that handles multitasking - the mechanism that allows the Android operating system to run multiple processes at once and switch between them once an app goes in or out of the users' view (screen).

Google representatives did not reply to questions on when the flaw will likely be patched, what number of Google Play apps have been caught exploiting it, or what number of finish customers have been affected.

"We appreciate the researchers' work, and have suspended the potentially harmful apps they identified. In addition, we continue to investigate to improve Google Play Protect's ability to protect users against similar issues". Also, closing recently opened apps from time-to-time could also help keep you safe, says Promon.

- Permission popups that don't contain an app name. These codes can ask for permission or show phishing pages.

Buttons and hyperlinks within the person interface that do nothing when clicked on.

- Back button does not work as expected.

Promon has already reported the vulnerability to Google.

The problem emerged after Norwegian mobile security company Promon analysed malicious apps that had been spotted draining bank accounts.

"The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play".

Readers are once again reminded to be highly suspicious of Android apps available both in and outside of Google Play.



Other news