Crooks are exploiting unpatched Android flaw to drain users’ bank accounts
Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned.
“Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company [Wultra] for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts. At the time, this was covered (but not explained), in the Czech media. Promon’s partner gave Promon a sample of the suspected malware to investigate,” Promon researchers explained.
All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.
“StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted. To carry out attacks, the attacker doesn’t need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner,” they noted.
About the StrandHogg vulnerability
StrandHogg allows attackers to show to users fake login screens and ask for all types of permissions that may ultimately allow them to:
- Read and send SMS messages (including those delivering second authentication factors)
- Phish login credentials
- Make and record phone conversations
- Listen to the user through the microphone
- Take photos through the device’s camera
- Get access to photos, files on the device, location and GPS information,the contacts list, phone logs, etc.
“StrandHogg (…) uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device. This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire,” the researchers explained. (More technical details are available here.)
Malware taking advantage of this vulnerability springs into action when the victim clicks the app icon of a legitimate app (click on the image for a larger version):
“The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected,” noted Promon CTO Tom Lysemose Hansen.
What can users do?
Mobile security company Lookout has identified 36 malicious apps exploiting the StrandHogg vulnerability, and among them were variants of the BankBot banking trojan.
Malware using the StrandHogg flaw was not found on Google Play but was installed on target devices through several dropper apps/hostile downloaders distributed through Google Play.
These particular apps have been removed by Google, but dropper apps often bypass Google Play’s protections and trick users into downloading them by pretending to have the functionality of popular apps.
Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect’s ability to protect users against similar issues.
Promon researchers say that it’s difficult for app makers to detect if attackers are exploiting StrandHogg against their own app(s), but that the risk can be partly mitigated by setting the task affinity of all activities to “”(empty string) in the application tag of AndroidManifest.xml.
As, according to the researchers, there’s no effective block or reliable detection method against StrandHogg on Android devices, users are advised to be on the lookout for things like:
- An app or service that they have already logged into asking for a login
- Permission pop-ups that don’t contain an app name
- Buttons and links in the user interface that do nothing when clicked on
- Typos and mistakes in the user interface.