Android vulnerability literally makes apps vulnerable, allows taking control of phones

A vulnerability, named StrandHogg, allows malware to pose as any legitimate app, gain permissions and literally hijack the phone

An Android vulnerability allows malware to pose as any legitimate app, found researchers at Promon. By tapping this vulnerability, named StrandHogg, hackers can access private SMS’ and photos, steal victims’ log-in credentials, track movements, make and record phone conversations, and spy through a phone’s camera and microphone.

All versions of Android, including Android 10, harbour this dangerous vulnerability, said the report prepared by researchers John Høegh-Omdal, Caner Kaya and Markus Ottensmann. As a result, all of the 500 most popular apps (as ranked by app intelligence company 42 Matters) are vulnerable to StrandHogg, said the report.

The hackers access the above mentioned data through "permission harvesting" and phishing, explained the report.

"The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app," read the report. 

"The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims. Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using."

Promon’s findings make the vulnerability "as severe as it’s ever been,'' commented Sam Bakken, senior product marketing manager at OneSpan.

The discovery comes hard on the heels of Google’s confirmation that there was a bug in Google and Samsung phones that literally spies on its users.

"Promon’s study significantly expands upon research carried out by Penn State University in 2015, where researchers theoretically described certain aspects of the vulnerability. Google, at the time, dismissed the vulnerability’s severity, but Promon has tangible evidence that hackers are exploiting StrandHogg in order to gain access to devices and apps," said the report.

"At least 36 examples of malware attacking the vulnerability as far back as 2017 have been identified—some being variants of the notorious Bankbot Trojan. This goes to show you that attackers are aware of the vulnerability and actively exploiting it to steal banking credentials and money," said Bakken. 

However, app developers can mitigate the risk by opting for in-app protection, he suggested. Gartner forecasts that by 2022, at least 50 percent of successful attacks against clickjacking and mobile apps could have been prevented using in-app protection

"One of the most important aspects of Android app security is to lock down exported activities. Within Android, intents serve as the glue for cross-application interaction at runtime allowing, for example, one app to invoke an activity from another. Poorly designed activities can be leveraged by malicious apps to perform actions or access data that would normally incur a permissions request," said Craig Young, senior security researcher at Tripwire.

Finding similarities with the issue in Google and Samsung phones, he noted that malicious apps with permission to access storage and camera could take photos and videos and then access the resulting media files from the phone’s internal storage

"In the long-term, I think the Android Open Source Project needs to seriously consider finer grained access controls between apps. Something like a firewall for Intent messages so that users have some control over which other apps a given app can interact with," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews