All Android versions are affected, no patch available yet
There are at least two reasons that make the StrandHogg vulnerability so serious. First is that all Android versions including the current version 10 and most of the apps are vulnerable, and second that the attacks are often undetectable. The security company Promon, which discovered the vulnerability, warns of current attacks.
Unnoticed attacks on sensitive data and permissions
The attackers attach themselves to legitimate apps, launch them manually and show a deceptively real phishing window afterwards. Permissions or login data are requested in the name of this legitimate app. At that moment it is not obvious to the user that the sensitive information or access rights are passed on to the attacker. Once the data has been entered, the users return to the app they actually wanted – there is no sign of infection or a successful attack.
“We already saw similar attacks last year, for example, the banking malware Cerberus,” says Tibor Elias, Android malware specialist at IKARUS. He adds: “But while the already known overlay attack that draws components over other apps, StrandedHogg tells the Task Manager to launch a malicious activity on top of a benign one when a legitimate App is launched by the victim. The malware window is displayed in the foreground, the harmless app is moved to the background or “closed”.
Error in the system or vulnerability in the application?
This scenario is made possible by using the standard task function taskAffinity and allowTaskReparenting, which allows installed apps to use any identity. According to Promon, the vulnerability was reported to Google in the summer and no information about a planned security update has been received so far.
“There are controversial opinions on whether StrandHogg is an Android vulnerability or ‘only’ a vulnerability or misconfiguration of an application,” says Tibor Elias. To take advantage of this gap, however, there must already be malicious code on the device, which is usually supplied or downloaded by so-called Dropper Apps. This is where the “classic” security recommendations for app installations come in. You should not rely on Google Protect alone – unfortunately, malicious apps always manage to slip under the radar of Google’s internal security program.
Infections are possible also via Google Play
Security company Lookout reports 36 apps exploiting the vulnerability, including the banking Trojan BankBot. The identified harmful apps – no names are mentioned – were also found on Google Play, but have since been removed. In addition to a professional malware scanner for Android, caution when selecting apps and healthy mistrust, we recommend that you also be careful when operating your smartphone or tablet: pay attention to login requests if you are already logged in, or repeated requests for permissions. Typing errors, missing or incorrect logos and non-functioning buttons or links can also provide clues. If in doubt, you can send suspicious files to the IKARUS Malware Lab via our free Android app IKARUS mobile.security.
We are looking forward to hearing from you!
IKARUS Security Software GmbH
+43 (0) 1 58995-500