StrandHogg vulnerability enables malicious software to masquerade as trusted Android apps

The vulnerability stems from a multitasking feature in Android

Researchers have discovered a security vulnerability in the Android OS that could allow attackers to run malicious processes on a phone without the user's knowledge.

The vulnerability, dubbed StrandHogg, enables malicious apps to appear as legitimate and trusted apps already installed on phones.

StrandHogg affects millions of fully patched Android phones, according to researchers from Norwegian app security firm Promon, who first discovered the security flaw. It affects all versions of Android, including the latest Android 10 release.

StrandHogg stems from a multitasking feature in the Android OS called TaskAffinity, which allows apps to take on the identity of other apps running in the multitasking system.

Malicious apps can easily exploit this feature by setting the TaskAffinity for its activities to match the package name of a legitimate third-party app.

This allows malicious apps to request intrusive permission from users while pretending to be a trusted app. So, when the user clicks a trusted app's icon on the screen, a malicious version instead starts.

The user has no indication that they are giving permission to malware.

Hackers can exploit the vulnerability without root access, according to researchers. When exploited, this allows an attacker to:

• make calls
• record phone conversations
• access the contacts list/phone logs
• read and send messages
• access all files and photos on the device
• capture picture through the camera
• listen to the user through the microphone
• phish login credentials
• get location details

Promon said an Eastern European security firm for the financial sector first highlighted the bug, which helped the company to identify StrandHogg. The security firm, in turn, heard about the vulnerability when a number of banks in the Czech Republic told it about incidents of money disappearing from customer accounts.

The Eastern European security firm also provided a malware sample to Promon researchers for analysis, which was found to be exploiting the security vulnerability.

Researchers from Lookout, a mobile security provider, also confirmed the security flaw and identified 36 malicious apps exploiting the flaw, including BankBot variants.

"A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps," Lookout stated.

"Attackers are then able to create fraudulent financial transactions."

"While Android has safeguards in place to defend against overlay attacks, by using Strandhogg, attackers can still mount such an attack even against current versions of Android," it added.