Norwegian app security company Promon on Monday disclosed the existence of a vulnerability that has been exploited by tens of malicious Android apps, and warned that hundreds of popular applications are at risk of being targeted.
Promon has dubbed the flaw StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to plunder and hold people for ransom.
According to the company, StrandHogg attacks are possible due to a weakness in Android’s multitasking system, which allows a malicious application installed on the device to pose as a legitimate application in an effort to trick the victim into granting it elevated permissions.
A malicious Android app that does not have root access to the compromised device can exploit StrandHogg to trick the user into granting it the permissions needed to access files stored on the device, the camera, GPS location, SMS messages, contacts, the microphone and more.
Once it has these permissions, the malware can spy on the user through the device’s camera and microphone, read SMSs, phish login credentials (including 2FA codes via SMS), access private photos and videos, obtain the device’s location, access contacts and call logs, and even make calls and record the victim’s conversations.
Mobile security firm Lookout has identified 36 malicious applications exploiting the vulnerability, including variants of the BankBot banking Trojan that have been around since at least 2017.
Promon identified the StrandHogg vulnerability during the analysis of a malware sample designed to target banks in the Czech Republic. The company says that while the sample in question did not originate from the Google Play store, it was installed through several downloaders distributed via the official Android app store.
Promon told SecurityWeek that while Google has removed the downloader applications from the Play store, the tech giant has yet to release any patches for Android. The security firm said it reported its findings to Google this summer.
SecurityWeek has also reached out to Google for information regarding a possible patch for Android, but the company appears to be focusing on detecting and blocking malicious apps that exploit StrandHogg.
“We appreciate the researchers work, and have suspended the potentially harmful apps they identified,” a Google spokesperson said. “Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
Promon says the attack works on all versions of Android, including the latest Android 10, and it has determined that the 500 most popular Android apps are all susceptible to attacks.
In a StrandHogg attack, the malicious app hijacks a legitimate application’s task, which allows it to display a permissions request dialog box that appears to be associated with the legitimate app when in fact it requests permissions needed by the malicious app.
Then, when the legitimate app is opened again by the victim, the malware can, for example, display a fake login page in an effort to phish their credentials.
“In the background, the attack prepares and hijacks the target before the user even sees anything on the screen. Other than some minor flickering on certain devices, the user will only see the benign activity and will have no idea that malicious activity has taken place,” Promon explained.
The attack does not require the device to be rooted and the initial phase does not require any special permissions. Promon has published technical details and a video showing how the StrandHogg attack works.