upnorth

Level 38
Verified
Trusted
Content Creator
Promon security researchers have found proof of a dangerous Android vulnerability, dubbed ‘StrandHogg’, that allows real-life malware to pose as legitimate apps, with users unaware they are being targeted.

What's the impact?
  • All versions of Android affected, incl. Android 10*
  • All top 500 most popular apps are at risk*
  • Real-life malware is exploiting the vulnerability
  • 36 malicious apps exploiting the vulnerability was identified*
  • The vulnerability can be exploited without root access
The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app. An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements. The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims. Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.
StrandHogg, unique because it enables sophisticated attacks without the need for a device to be rooted, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device. This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire.
 

upnorth

Level 38
Verified
Trusted
Content Creator
At this point in time what does one do to protect against this malicious exploit?? Being aware is one thing solving this issue is another.
Very good question/point! (y)

Even the security researchers found there is no available patch from Google yet. Users can still do much more then switch to another brand or flush down the phone in the toilet etc.
  1. Delete/Uninstall apps that is not used or haven't been used the last months. In general, not all apps are possible to uninstall.
  2. Check app permissions. Especially on apps that your about to install. The report gives a great example on a weather app. Those don't need access to your contacts, photos and videos.
Do not go bananas and start remove/edit permissions on all apps as it will for sure create more issues then solve.

Still, there are several things alert users can do to detect malicious apps that attempt to exploit the vulnerability. Suspicious signs include:
  • An app or service that you're already logged into is asking for a login.
  • Permission popups that don't contain an app name.
  • Permissions asked from an app that shouldn't require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
  • Typos and mistakes in the user interface.
  • Buttons and links in the user interface that do nothing when clicked on.
  • Back button does not work as expected.
 
Last edited: