Newly discovered Android StrandHogg vulnerability exploited by malware

The new vulnerability already exploited by banking trojans and other malware impacts all Android OS versions

StrandHogg Android vulnerabilityPromon security firm discovered StrandHogg vulnerability that is already exploited in the wild.[1] The flaw is misused by at least 36 applications, according to the report.[2] One of the applications observed in the report was found distributing BankBot banking trojan known since 2017.

Once the vulnerability gets exploited, malicious apps can camouflage as legitimate and help attackers to access photos, read messages, make audio or video recordings, and even track movements of the victim. The vulnerability can also be used to show fake login pages when the user opens a legitimate application and can be exploited without a need to reboot the phone.

Security researchers from Norway, that have been specializing in in-app security protections, stated that all applications are vulnerable to this flaw, including the 500 apps from the most popular list.

StrandHogg vulnerability detection

The discovery of this flaw was made thanks to the Eastern European security company that is partnering with the Promon in the app security support. The partner provided a sample of the threat to analyze, and the analysis helped to discover the StrandHogg security flaw.

Lookout, another partner, has also confirmed the vulnerability and stated that 36 applications are currently exploiting the flaw in the wild.[3] These programs haven’t been named, but none of them is available on the official Play Store. However, users are still able to install other malicious applications from the Play Store and get these programs as secondary payloads for more intrusive StrandHogg attacks.[4] 

Android vulnerability dubbed StrandHogg is also called unique due to sophisticated methods and the ability to use flaws in the multitasking Android system to enact powerful attacks that allow masquerading malicious apps as any other legitimate program. 

Once the flaw gets exploited, hackers can:

  • listen to the user via the microphone;
  • take photos and recordings via phone camera;
  • send and read text messages;
  • make phone calls or record them;
  • use phishing techniques to get login credentials;[5]
  • access private photos, other files on the device;
  • get access to location and GPS information;
  • access the contact list and phone logs.

Dangerous uses of the vulnerability

This security flaw can be used by hackers for spying on people or steal their valuable information and money, so it is more dangerous than any Android OS flaw. The exploit is based on a control setting named taskAffinity that allows the application to assume any identity in the multitasking system they desire. Unfortunately, Google hasn’t fixed the issue on any version of Android, which means that any Android user is exposed to the malware. 

Once the flaw is exploited, hackers can use access to the targeted device to spy on the victim or steal valuable data since it is exceptionally easy to achieve any function needed. As Tom Lysemose Hansen from Promon said:

We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information.

Since all the versions of Android are vulnerable by default, the amount of damage caused because of it and the scale of affected people can be huge. There is no way to block such an attack, and there is no method for detecting the flaw. 

What users can notice and should look out for:

  • apps asking them to login repeatedly;
  • permission pop-ups without certain app names;
  • typos or grammar, UI or UX[6] mistakes;
  • buttons that don’t work as expected or are useless in general.