Cybersecurity researchers have discovered a new unpatched vulnerability in the Android operating system that dozens of malicious mobile apps are already exploiting in the wild to steal users' banking and other login credentials and spy on their activities.
Dubbed Strandhogg, the vulnerability resides in the multitasking feature of Android that can be exploited by a malicious app installed on a device to masquerade as any other app on it, including any privileged system app.
In other words, when a user taps the icon of a legitimate app, the malware exploiting the Strandhogg vulnerability can intercept and hijack this task to display a fake interface to the user instead of launching the legitimate application.
By tricking users into thinking they are using a legitimate app, the vulnerability makes it possible for malicious apps to conveniently steal users' credentials using fake login screens, as shown in the video demonstration.
"The vulnerability allows an attacker to masquerade as nearly any app in a highly believable manner," the researchers said.
"In this example, the attacker successfully misleads the system and launches the spoofing UI by abusing some task state transition conditions, i.e., taskAffinity and allowTaskReparenting."
"When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps."
Besides phishing login credentials, a malicious app can also escalate its capabilities significantly by tricking users into granting sensitive device permissions while posing as a legitimate app.
Discovered by researchers at Norwegian security firm Promon, Strandhogg task hijacking attacks are potentially dangerous because:"An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim's movements."
- it is almost impossible for targeted users to spot the attack,
- it can be used to hijack the task of any app installed on a device,
- it can be used to request any device permission fraudulently,
- it can be exploited without root access,
- it works on all versions of Android, and
- it doesn't need any special permissions on the device.
Promon spotted the vulnerability after analyzing a malicious banking Trojan app that hijacked bank accounts of several customers in the Czech Republic and stole their money
continue reading the article here: New Unpatched Strandhogg Android Vulnerability Actively Exploited in the Wild