Pierluigi Paganini December 02, 2019

Security experts disclosed a vulnerability dubbed StrandHogg that has been exploited by tens of malicious Android apps.

Security experts at Promon disclosed a vulnerability, dubbed StrandHogg, that has been exploited by tens of malicious Android apps.

The name StrandHogg comes from an old Norse term that refers to a tactic adopted by the Vikings that consists of raiding coastal areas to plunder and hold people for ransom.

The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to harvest elevated permissions from the victims.

A rogue Android app could use the StrandHogg tactic to trick the user into granting it the permissions to control the devices.

“The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app. An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements.” reads the report.

“The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims. Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.”

The permissions granted to the app could allow spying on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations.

The StrandHogg technique is unique because it allows hackers to carry out sophisticated attacks without the need for a device to be rooted.

“This exploit is based on an Android control setting called ‘ ’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire.” continues the report.

The researchers have conducted research of real-life malware that exploits this vulnerability and found all of the top 500 most popular apps are at risk, the experts pointed out that the flaw affects all versions of Android affected.

According to the Mobile security firm Lookout, 36 malicious apps identified by its experts exploited the vulnerability, including variants of the  BankBot banking Trojan that have been spotted for the first time in 2017.

Promon experts analyzed a specific malware sample that was not present on the Google Play but that was delivered through several dropper apps/hostile downloaders distributed on Google Play. According to the experts these malicious apps have now been removed, instead, they continue to be under the radar and users downloaded them millions of times.

Promon reported the Stranghodd vulnerability to Google this summer, and now is disclosing it in compliance with Google’s 90-day disclosure timeline.

Is it possible to detect the exploitation of the Stranghodd flaw on user’s device?

Unfortunately, no. Experts explained that there’s no effective block or even reliable detection method against the StrandHogg attack. Victims may notice discrepancies during the use of their device, including:

• An app or service that you’re already logged into is asking for a login.
• Permission popups that does not contain an app name.
• Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
• Typos and mistakes in the user interface.
• Buttons and links in the user interface that does nothing when clicked on.
• Back button does not work like expected.

Pierluigi Paganini

(SecurityAffairs – StrandHogg flaw, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]