Android users with fully patched devices, including those running the latest edition of the OS, Android 10, are vulnerable to a malware dubbed ‘Strandhogg’, which poses as legitimate apps and targets user’s bank accounts.
An attacker can listen to the user of an infected device via the microphone, take photos through the camera, read and send SMS, make or record phone calls, get access to the contact list, access phone logs, phish login credentials, get access to all the photos and files on a device, receive GPS and location information, according to security researchers at Promon.
The vulnerability affects users running Android 6 through Android 10 on their smartphones as it exploits user permissions. These Android versions account for a majority of active phones in the market today.
The researchers also found out that 500 of the most popular Android apps are vulnerable to malware. Lookout — a mobile security research firm — identified 36 malicious apps that are actively exploiting the vulnerability.
The research also points out that some of the infected apps are using variants of BankBot trojan, which is one of the most widespread trojans with infections detected in US, Latin America, Europe and Asia Pacific regions as early as 2017.
“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information. The potential impact of this could be unprecedented in terms of scale, and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected,” said Tom Lysemose Hansen, CTO, Promon.
How does the attack work?
The vulnerability allows the hacker to ask for permissions while the malicious app clones the legitimate app. When the user opens the infected app, they’ll be asked for permissions like for access to the camera or microphone — which are usually granted by users.
Then either the user is redirected to the legitimate app or — if the attacker intends to phish — to a malicious login page, that might clone the real app’s page; for example bank apps login pages.
If the user is redirected to a cloned malicious login page, then the attacker means business and is looking to phish login credentials of the user, among other sensitive financial or personal information. Once the user enters the login details, those are sent to the attacker, and then the victim is redirected to the legitimate app.
So, without the user’s knowledge, the attacker has not only the potential to exploit the permissions of the victim’s phone and gain access but also can phish for sensitive information, which includes bank account logins.
Malicious apps on Google Play Store isn’t news — somehow they manage to slip through. A recent case in point was the popular Camscanner app that has more than 100 million downloads and was infected with malware.
“The specific malware sample which Promon analysed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play. These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted,” Researchers at Promon wrote.