Another week, another report of dangerous malware on Android. In the last few months the Google operating system has been plagued by dangerous apps, adware and other harmful materials. The most recent of which was said to be a Trojan called FakeAdsBlock with the ability to display annoying adverts on a user device with incredible persistence, which itself only came a few days after 150 apps from the Play Store were discovered to hide some nasty malware.
And now, Android users are being alerted against Strandhogg – a newly uncovered vulnerability that could allow a hacker to acquire sensitive data by placing fake overlay screens on particular apps.
Discovered by app security firm Promon, the flaw was said to allow a malicious third-party to produce a fake log-in screen for certain apps. This means if a user of an infected device types in their login for a social media or banking account, hackers could immediately receive the information.
Even more worrying, Promon said the vulnerability could be exploited to conduct something called “permission harvesting” where the hacker could potentially gain access to a user’s microphone, camera, SMS messages and more. In a report discussing Strandhogg, the security firm said it had “tangible evidence” to suggest malicious third-parties had already started to capitalise on the vulnerability for “several banks”.
Promon said: “Promon has tangible evidence that hackers are exploiting StrandHogg in order to gain access to devices and apps. Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts. At the time, this was covered (but not explained), in the Czech media. Promon’s partner gave Promon a sample of the suspected malware to investigate.”
Promon collaborated with fellow security firm Lookout to meticulously scour the Google Play Store for apps with the Strandhogg vulnerability present. It reported 60 different financial institutions were being targeted in this regard.
The security firm has already disclosed its findings to Google. The American tech firm has since responded by reassuring Android fans it has “suspended” any “potentially harmful” apps that were identified.
In a statement, the tech giant said: “We appreciate the researchers’ work, and have suspended the potentially harmful apps they identified. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
Despite Google removing the apps in question, Promon said certain apps continue to slip through the American firm’s Play Protect security system, suggesting further apps could exploit Strandhogg in the future.
The app security company said: “The specific malware sample which Promon analysed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play.
“These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted.”
Apparently not even those running the latest version of Google’s operating system can completely escape the prospect of being plagued by Strandhogg. Promon said the vulnerability can be exploited on all versions of Android while the ability to harvest permissions is only a problem for Android 6 Marshmallow and newer.
While Promon admitted it’s generally quite difficult to detect whether someone is exploiting the Strandhogg vulnerability on your device, it said there were a few telltale signs to look out for.
These were said to be:
• An app or service that you’re already logged into is asking for a login
• Permission popups that does not contain an app name
• Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission
• Typos and mistakes in the user interface
• Buttons and links in the user interface that does nothing when clicked on
• Back button does not work like expected