StrandHogg Android vulnerability identified

Promon, a Norwegian app security company, has identified tangible evidence of a dangerous Android vulnerability that allows malware to pose as any legitimate app, granting hackers access to private SMS’ and photos, steal victims’ log-in credentials, track movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.

Promon - which in 2016 identified that a lack of security in Tesla’s smartphone app could result in hackers taking control of vehicles - has conducted research into real-life malware that exploits this serious flaw, and found all of the top 500 most popular apps (as ranked by app intelligence company 42 Matters) are at risk, with all versions of Android affected, including Android 10, released in early September 2019.

The vulnerability has been named by Promon as ‘StrandHogg’, old Norse for the Viking tactic of raiding coastal areas to plunder and hold people for ransom.

Promon first identified StrandHogg after being informed by a partner security company, which provides protection for the financial sector, that several banks in the Czech Republic had reported money disappearing from customer accounts. Promon was given a sample of the suspected malware to investigate and, through its research, was able to identify that the malware was being used to exploit the StrandHogg vulnerability to steal from bank accounts and access confidential information.

Lookout, a partner of Promon, which recently partnered with Google, also confirmed that it has identified 36 malicious apps exploiting the StrandHogg vulnerability. Among them were variants of the BankBot banking trojan, observed as early as 2017, confirming that cybercriminals have known about, and used this vulnerability for at least two years. BankBot is one of the most widespread banking trojans around, with dozens of variants and close relatives springing up continually. BankBot attacks have been detected all over the world, in the U.S., Europe, Latin America, and the Asia Pacific region.

StrandHogg, unique because it enables sophisticated attacks even on unrooted devices, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device. This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app - including malicious ones - to freely assume any identity in the multitasking system they desire. 

The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app. An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements. The attack can be designed to request permissions which would be natural for different targeted apps to request, to lower suspicion from victims. Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using. 

By exploiting this vulnerability, a malicious app installed on the device can attack the device and trick it so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen. When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to and control security-sensitive apps.

Promon’s study significantly expands upon research carried out by Penn State University in 2015, where researchers theoretically described certain aspects of the vulnerability. Google, at the time, dismissed the vulnerability’s severity, but Promon has tangible evidence that hackers are exploiting StrandHogg in order to gain access to devices and apps.

The specific malware which Promon analyzed did not reside on Google Play but was installed through several so-called dropper apps distributed on Google Play. These apps have now been removed, but in spite of Google’s Play Protect security suite, malicious apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted. Demonstrative of the scale of Google Play’s issue with dropper apps, researchers recently reported that the malicious CamScanner app, a PDF creator that contains a malicious module, has been downloaded more than 100 million times. 

Promon CTO Tom Lysemose Hansen comments: “We have already seen attackers exploiting StrandHogg for monetary gains. If left unaddressed, the potential impact of this could be unprecedented in terms of scale and the amount of damage caused, because most apps are vulnerable by default and all Android versions are affected.” 

Promon CEO Gustaf Sahlman adds: “Vikings were known to set up spy networks, with information on religious feasts and events, local customs and high-value personalities who could be ransomed being used when choosing the next area to attack. Cybercriminals are the modern-day Vikings, and we encourage individuals to be extra vigilant and for companies to ensure they have robust app protection in place.”