Attackers have been actively exploiting an Android vulnerability that allows malicious apps to display dangerous permission requests and phishing overlays under the guise of a legitimate app.
Dubbed StrandHogg (an old Norse Viking term), the flaw resides in Android’s taskAffinity control setting, and can be successfully abused without having to first gain root access, according to Norway-based app security firm Promon. Researchers with the company say the flaw affects all versions of Android, and can be used to attack any of the 500 most popular Android apps (popularity based on rankings from app intelligence company 42 Matters).
In a company blog post today, Promon said it uncovered StrandHogg after obtaining and analyzing a sample of suspected malware that was apparently linked to attacks on several Czech Republic banks that drained money from customer accounts. This particular malware sample was installed via malicious downloader/dropper apps that were found on Google Play.
Further research from Promon partner and mobile security company Lookout ultimately revealed 36 malicious apps that exploit StrandHogg. These include variants of the banking trojan Bankbot, which uses malicious screen overlays to trick victims into entering their payment card data and log-in credentials into attacker-controlled windows that look like authentic mobile web pages.
Such a scenario can be “particularly dangerous in mobile platforms where there are typically already fewer on-screen indicators to confirm what site a user is interacting with,” said Tripwire computer security researcher Craig Young, in emailed comments. “In general, users must be careful about installing apps [that] request the screen overlay permission or require accessibility settings. Where available, users should also make sure that the ‘Verify Apps’ setting is enabled in Android’s security settings.”
Promon said it does not believe Google has fixed the vulnerability yet, although the Android-maker has reportedly expelled offending apps from Google Play. In its blog post, Promon alleges that Google had initially “dismissed the vulnerability’s severity” after Penn State University researchers “theoretically described certain aspects of the vulnerability” in a published report.
SC Media reached out to Google for official comment, and received the following comment from a company spokesperson: “We appreciate the researchers’ work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
Because StrandHogg attackers can send alerts asking mobile users for a wide variety of permissions, the possible ramifications of malicious activity are quite serious, according to Promon’s blog post, written by software developer John Hoegh-Omdal, junior Android engineer Caner Kaya and senior software engineer Markus Ottensmann. Adversaries could potentially use these permissions to eavesdrop through the microphone, take photos, spy on SMS messages, record conversations, acquire geolocation information, and access photos, files, contacts and phone logs.
“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” said Promon CTO Tom Lysemose Hansen. “The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected.”