Google Android threats continue to hit users thick and fast. And today is no different: Security researchers have detailed a newly discovered Android vulnerability that they call “StrandHogg,” which allows malware to pose as legitimate apps to attack users of Google’s operating system.
The “dangerous” Android vulnerability could grant hackers access to your private SMS and photos, steal your log in credentials, track your movements, record your phone conversations, and spy through your phone’s camera and microphone, according to researchers at Norwegian app security company Promon.
The researchers conducted an investigation into real-life malware that exploits the serious flaw, and found all of the top 500 most popular apps are at risk, with all versions of Android affected, including Android 10.
Promon said it first identified StrandHogg after being informed by a partner security company that “several banks in the Czech Republic had reported money disappearing from customer accounts.”
One of Promon’s partners, Lookout confirmed it has identified 36 malicious apps exploiting the StrandHogg vulnerability. Among them were Bankbot, a dangerous and well-known banking trojan which has been in action since as far back as 2017.
Promon CTO Tom Lysemose Hansen said that if left unaddressed, StrandHogg’s potential impact could be “unprecedented in terms of scale and the amount of damage caused, because most apps are vulnerable by default and all Android versions are affected.”
New Google Android threat: How does StrandHogg work?
StrandHogg is “unique” according to the researchers, because it allows attacks on even unrooted devices. It works its evil by using a weakness in Android’s multi-tasking system to orchestrate attacks that enable malicious apps to hide in plain sight by pretending they are legit apps on your device.
The result? Masquerading as one of your installed applications, the bad app can then ask for permissions, including text, GPS, Microphone, photos and more. Hackers can then track your location, read your messages and listen to your conversations.
They can also access your log in credentials if you enter them into the fake app, including your banking information. Very scary indeed.
Promon’s study expands upon research carried out by Penn State University in 2015 that saw researchers theoretically describe some aspects of the vulnerability. Promon said: “Google, at the time, dismissed the vulnerability’s severity, but Promon has tangible evidence that hackers are exploiting StrandHogg in order to gain access to devices and apps.”
The specific malware analyzed by Promon was not taken from Google Play, but was installed through several so-called dropper apps distributed on Google’s Android store. “These apps have now been removed, but in spite of Google’s Play Protect security suite, malicious apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted,” Promon said.
Another dropper app was the malicious CamScanner app, a PDF creator containing a malicious module, which has been downloaded more than 100 million times.
StrandHogg Android threat: What to do
Thankfully, something is being done to address the issue. Google has confirmed to the BBC that it has taken steps to address the vulnerability and has suspended the apps proven to be affected.
Google sent me a statement via email, which reads: “We appreciate the researchers’ work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique.
“Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
Even so, it’s still a “pretty significant threat,” says security researcher Sean Wright: “By the looks of it, it is not hypothetical: it is being actively exploited.”
Worse, he says, to the average and perhaps even more advanced user, “there is no way to distinguish that something is wrong.”
“The fake log in screen is especially worrying: There would be no discernible way for a user to tell that the screen is indeed fake.”
Ethical hacker John Opdenakker agrees: “This shows again that it’s important to be very careful with installing Android apps from Google’s Play Store. While Google has removed the known malicious apps, it’s still possible that similar apps will reappear because the underlying vulnerability is not yet fixed.”
So what can you do? There is no way you can tell that an app is being exploited, and there is no means to block it. Wright says that, ultimately, your best defense is to be very cautious about apps you install.
“Only install apps which you are going to use and need. Also read reviews, or even do a web search on the app and the app developer. Only install via the official Play Store. If in doubt, don’t install the app.”
At the same time, be very careful about permissions you allow your apps. The exploit acts through permissions, so you should be cautious, especially when allowing any apps to access your phone or microphone.