A Norwegian security app firm Promon, disclosed on Monday that tens of malicious Android apps have exploited a vulnerability and cautioned that hundreds of popular apps are at stake of being attack.
Cybersecurity researchers have found a new unpatched vulnerability in the Android operating system that is already targeting hundreds of malicious mobile apps in the wild to snatch banking and other login information from users and spy on their activities.
Dubbed Strandhogg, the vulnerability exists in Android’s multitasking functionality that a malicious app installed on a phone will exploit to masquerade like any other app on it, along with any other authorized system app.
Simply put, When a user taps a genuine app icon, Strandhogg vulnerability malware may intercept and hijack that task by displaying a fake user interface instead of launching a valid app.
The vulnerability enables malicious apps to easily steal passwords from users using fake login screens, by tricking users into believing they are using a legitimate app.
“The vulnerability allows an attacker to masquerade as nearly any app in a highly believable manner,” the researchers said.
A malicious app can also significantly increase its capacities by tricking users into granting confidential device permissions by acting as a legitimate app in addition to phishing login credentials.
“An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements.”
Strandhogg task hijacking attacks, discovered by researchers at the Norwegian security firm Promon, are potentially dangerous because:
- It’s nearly impossible for targeted users to detect the attack.
- It can be used to hijack the task of any app installed on device.
- It can be used to fraudulently request any system authorization.
- It can be exploited without root access.
- It runs on all Android versions.
- It doesn’t depend on any special device permissions
Promon identified the vulnerability after evaluating a malicious Trojan banking app that seized several customers’ bank accounts in the Czech Republic and took their money.
Some of the identified malicious apps were also distributed through several droppers and hostile downloader apps on the Google Play Store, according to researchers.
This summer, Promon reported the vulnerability of Strandhogg to the Google Security Team and released details today when the tech giant failed to patch the issue even after a 90-day timeline for disclosure.
Although there is no efficient and reliable way to block or track task hijacking attacks, by keeping an eye on discrepancies like we have mentioned below, users may be able to spot it.
- An app that you have already logged in requests for a login.
- Permission popups that don’t have an app name.
- Permissions requested from an app that do not require or need the permissions requested.
- The user interface buttons and links do nothing when clicked on.
- The back button may not work as expected.