Researchers say all versions of the Android mobile operating system are affected

UPDATED A vulnerability in the Android operating system with far-reaching impact has been disclosed by researchers.

On Monday, John Høegh-Omdal, Caner Kaya, and Markus Ottensmann from application security firm Promon said the bug, dubbed StrandHogg, “allows real-life malware to pose as legitimate apps, with users unaware they are being targeted”.

What makes StrandHogg – named in honor of an Old Norse phrase relating to plunder and ransom – particularly dangerous is that the bug does not need a device to be rooted.

Weakness in Android’s multitasking system has instead made it possible for the taskAffinity function to be exploited for app spoofing.

A malicious app can request permissions while pretending to be legitimate software.

This could include requesting access to contact lists, images and video, microphone and call functions, GPS data, and phone logs, among other features.

An attacker would be able to conduct surveillance on their victim, track movements, steal mobile content, and hijack device functionality.

“Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using,” the team at Promon says.

StrandHogg can also provide the conduit for legitimate app icons to be tampered with, and so when a user clicks them, malicious apps are opened in their stead.

Google has said that its app scanning technology Play Protect currently defends against this technique.

‘No reliable detection method’

According to the researchers, all versions of Android are impacted, including Android 10, although the permissions-harvesting element only works in Android 6 and above.

The 500 most popular apps in the Google Play Store, as listed by mobile app intelligence firm 42 Matters, are equally deemed vulnerable.

There is no “reliable detection method” to discover StrandHog infections, nor is there an “effective block,” according to Promon.

Partner firm Lookout performed a scan for vulnerable apps on the Google Play Store, finding that 36 malicious apps have exploited StrandHogg to deploy the BankBot banking Trojan and other malware payloads.

If a user clicks on what they believe is their legitimate banking app, for example, login credentials could be harvested and sent to a command-and-control (C2) server controlled by threat actors.

Reports of Czech Republic bank accounts becoming compromised through mobile malware led to the discovery of StrandHogg.

The research also leans upon a study conducted in 2015 by Penn State University (PDF) in relation to the vulnerability’s potential impact.

Promon says that Google “dismissed” the issue when it first reported over the summer – although the tech giant has removed the malicious apps discovered by the research team.

Lars Lunde Birkeland, director of Promon marketing and communications, told The Daily Swig: “Google should take phishing attacks more seriously. And perhaps most importantly: Find a solution for dropper apps, [the] hostile downloader problem, which seems to continue to escalate.”

The news comes not long after Google announced a partnership with ESET, Lookout, and Zimperium to improve Google Play security barriers through the integration of additional scanning technologies to weed out malicious app submissions.

A Google spokesperson told The Daily Swig: “We appreciate the researchers work, and have suspended the potentially harmful apps they identified.

“Google Play Protect detects and blocks malicious apps, including ones using this technique.

“Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.” 


This article has been updated to include comment from Google.


RELATED Google partners with mobile security firms to boost Android app defenses