Researchers from Norwegian company Promon have discovered a serious vulnerability called StrandHogg that threatens Android users around the world. Vulnerability allows attackers to intercept critical user data and establish hidden control over mobile devices.
Experts have counted several dozen malicious applications on Google Play that exploit this bug, and suggest that all Android applications are at risk.The first alarm came from several Czech banks, which noticed the loss of money from client’s accounts. Security experts traced the problem to a malicious application that exploited a previously unknown Android vulnerability. Specialists gave this bug the name StrandHogg, name were called the Viking raids on coastal cities in the Middle Ages.
The new vulnerability, which is currently relevant for all versions of Android, is contained in the processes of the OS itself, so attackers don’t have to crack third-party applications, and the attacks themselves are mostly secret to victims”, – say Promon experts.
The problem is related to the Android multitasking mechanism, or rather, using the taskAffinity attribute. The legitimate purpose of this setting is that applications can intercept tasks from each other (developers call this procedure “task reparenting”).
This is exactly how taskAffinity is used by malware, displaying its own dialog boxes when launching legitimate applications. The victim of the attack believes that the request came from a program that he wants to open, and ultimately gives criminals access to their device. In this way, a malicious application may require a maximum set of permissions or steal user credentials.
Victims of the attack have virtually no chance of noticing a takeover, so they are likely approving the request. In turn, the criminals try to insure themselves against suspicion by adjusting the content and appearance of the pop-up window to the interface of the camouflage application”, – say the researchers.
Experts conclude that malicious potential of the new vulnerability cannot be overestimated. The exploit works on all Android devices, including devices with the latest, 10th version of the OS. Criminals get the opportunity of total control over smartphones and tablets even without unlocking root access.
Attackers can use StrandHogg to listen for user calls, read SMS, e-mails and messages on social networks, track movements, start the recorder and camera, steal photos, videos, logins and passwords. All this – amid complete unawareness of both victims and creators of the applications that criminals use for cover.
Read also: Vulnerability in popular Truecaller application endangers 150 million users
Experts have confirmed the efficiency of the method on the 500 most popular Android applications (according to the rating of the analytical company 42 Matters). Each of them, as it turned out, can be used to mask unwanted actions. To deliver software that can display fake windows, criminals use droppers. Researchers have found on Google Play 36 applications created specifically for using StrandHogg. The vulnerability has expanded the arsenal of the BankBot Trojan, which has been active since at least 2017.
Experts told Google developers about the existing problem, but they have not yet managed to prepare patches. Researchers waited 90 days and, realizing that there was no patch, published their findings.
Read also: 61% of all malicious ads target Windows users: How to Protect Yourself?
The StrandHogg threat is just the last dangerous Android bug that has become known in recent months. At the end of October, researchers found a vulnerability in the native NFC utility that allowed users to be redirected to dangerous web pages. Later, experts warned of problems in dozens of applications that are preinstalled on smartphones Samsung, Sony, Xiaomi and other major manufacturers.
Considerable concern among specialists was caused by the GIF file processing bug, which was originally discovered in WhatsApp, and then in thousands of other applications. An error in one of the libraries opened up unauthorized access to Android devices with the ability to execute third-party code.
How to protect yourself from StrandHogg?
Currently, the only thing that can help Android users protect themselves from StrandHogg is maximum attention to the dialog boxes on their devices. Suspicions may include requests for additional rights from a long-installed application, grammar and punctuation errors in pop-ups, broken links and buttons, strange requirements that do not match the profile of the application that sent them (for example, a geolocation request from a calculator).
