A quirk in the way that Android handles multitasking on mobile devices has created a vulnerability that researchers say is being used by attackers to impersonate legitimate apps and steal user information, and in some cases money from bank accounts.
The vulnerability has been named StrandHogg and it affects all of the current versions of Android, including Android 10. In the attacks that researchers have identified thus far, attackers are using banking trojans to produce overlay screens that look exactly like legitimate banking apps and harvest users’ credentials. Screen overlay attacks are quite common on mobile devices, especially in regions where mobile devices are the dominant method people use to access their bank accounts. Some of those attacks rely on the target device being rooted, but the StrandHogg vulnerability does not.
An attacker who is able to exploit the vulnerability would have broad permissions on the target device, including the ability to read and send texts, take photos, turn on the microphone, harvest user credentials, and more.
“A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions. While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android,” researchers at Lookout said in a post.
Researchers have discovered several dozen malicious apps that have been exploiting the StrandHogg vulnerability. Those apps were not in the Google Play store, but there are other vectors that could be used to get malicious apps on target devices, as well.
“StrandHogg, unique because it enables sophisticated attacks without the need for a device to be rooted, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device. This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire,” researchers John Høegh-Omdal, Caner Kaya, and Markus Ottensmann of mobile security firm Promon said in a post explaining the weakness.
“The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play. These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted.”
The Promon researchers first became aware of the StrandHogg weakness when one of the company’s partners in Eastern Europe alerted them that banks in the Czech Republic were noticing funds missing from customers’ accounts. The malware sample that the partner provided was installed through droppers and downloaders that were on the Google Play Store. Promon researchers reported the vulnerability to Google several months ago, but there is not yet a fix available for it.