StrandHogg Android vulnerability under active attack by dozens of malicious apps

Security researchers have discovered a dangerous Android vulnerability dubbed “StrandHogg” under active attack by dozens of malicious apps. To add, 500 of the most popular apps may also be vulnerable to the StrandHogg vulnerability.

Researchers from Promon first spotted StrandHogg and reported the vulnerability to Google this past summer. Promon also reached out to security firm Lookout to help identify malicious apps that could be targeting the vulnerability.

According to Promon, StrandHogg is a vulnerability in Android OS that allows a malicious application to ask for permissions while masquerading as the legitimate application. As a consequence, attackers can use the fake UI or screen overlay to trick users into entering sensitive information such as login credentials.

Bad actors have used screen overlays like StrandHogg as part of banking trojans to harvest permissions. The stolen data is immediately sent to the attacker for future malicious attacks.

Lookout further confirmed 36 malicious applications have been exploiting StrandHogg, to include variants of a banking trojan dubbed Bankbot. Activity on this malware goes back to 2017.

In addition, Promon researchers also discovered all versions of Android are affected, to include Android 10.

StrandHogg Vulnerability explained

Promon explains how the StrandHogg vulnerability “uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device.”

“This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire,” the Promon researchers added.

Furthermore, the actual malware gets distributed via malicious “dropper” applications or hostile downloaders. However, the malware itself did not reside in Google Play.

Readers can review more details on StrandHogg in the Promon and Lookout blog posts. Users and organizations can also protect their mobile phones with mobile security and anti-malware solutions such as Lookoout.