‘StrandHogg’ Vulnerability Allows Malware to Pose as Legitimate Android Apps

The flaw can allow hackers to take over typical device functions like sending messages and taking photos because users think malicious activity is a mobile app they use regularly.

Researchers have discovered a new Android vulnerability that could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages, and basically take over various functions as if they are the device’s owner.

Security researchers John Høegh-Omdal, Caner Kaya and Markus Ottensmann at Norwegian app-security provider Promon discovered the flaw—which they dubbed “StrandHogg” from old Norse for the Viking tactic of plundering villages and holding people for ransom. They said attackers can use the vulnerability to allow “real-life malware to pose as legitimate apps, with users unaware they are being targeted,” according to a blog post.

“The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims,” researchers wrote. “Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.”

If the flaw is exploited, to users it appears that they are clicking on an app that they use every day, such as Facebook or Instagram. However, what happens when they click on the app is that instead of the app a user intended to open starting up, malware is deployed that can give permissions to the hacker, who is directed to the legitimate app, researchers said.

The flaw, which can be exploited by “real-life malware,” affects all Android devices, including those running Android 10, they said, as well as puts the top 500 most popular apps at risk.

Researchers from Promon partner Lookout already have identified 36 malicious apps exploiting the vulnerability, which can be done without gaining root access to the device, according to the post. Among those apps were variants of the BankBot Trojan—widespread malware that’s been detected all over the world–observed as early as 2017, researchers said.

Moreover, the persistent problem of malware slipping under the radar on Google Play is what appears to be responsible for the spread of malicious code that exploits the flaw, researchers said. While the specific malware sample that Promon researchers analyzed did not reside on the app store, it was installed through several dropper apps/hostile downloaders distributed on Google Play, they said.

While these apps have since been removed, dropper apps continue to be published in spite of protections that exist on the store, researchers said. In fact, some are being downloaded millions of times before being spotted and deleted, they said.

Indeed, Google has struggled mightily with malware making its way onto Google Play under its watch and recently has taken new steps to try to alleviate this problem. The discovery of StrandHogg appears to make the need for better security for Android mobile apps all that more urgent.

Indeed, the existence of the vulnerability already being exploited in the wild certainly is troubling, as it means users already likely have been compromised and remain at critical risk, observed Sam Bakken, senior product marketing manager, for digital identity and anti-fraud solution provider OneSpan.

“As you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS,” he said in an e-mail to Threatpost. “Promon’s recent findings make the vulnerability as severe as it’s ever been.”

There is some good news in all of this, Bakken said. Security solutions do exist “under the umbrella of in-app protection” that can protect devices from malware exploiting StrandHogg, including “app shielding and runtime protection [that] make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS,” he said.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles