Experts from the Norwegian company Promon discovered vulnerability in Android, which allows malicious applications to modify legitimate and perform malicious operations on their behalf.
The vulnerability, called StrandHogg, could trick the user into granting dangerous privileges to a malicious application, and when the user interacts with the application legitimately. Also, the bug can be used to show victims fake login pages while connecting to legitimate applications.
According to experts, the problem is already being used by attackers. So, a vulnerability was discovered when an unnamed East European financial sector security company turned to Promon for help, as several banks in the Czech Republic reported that money had disappeared from customer accounts. The Eastern European partner provided researchers with a sample for analysis, and they were able to detect the StrandHogg problem.
Promon analysts, together with experts from Lookout, found that the vulnerability exploited at least 36 malicious applications. Researchers do not disclose their names, but emphasize that none of the applications was distributed directly through the official Google Play Store catalog. Most often, applications fell on users ’devices as payloads of the second stage of the attack, that is, the victims first downloaded and installed another malware from the Play Store.
Speaking about the technical side of the matter, the root vulnerability of StrandHogg is how Android switches between different processes that are associated with different operations and applications. In essence, the StrandHogg problem lies in the component responsible for multitasking. As a result, when a user launches a legitimate application, the malware gets the opportunity to use StrandHogg to run malicious code, using, for example, taskAffinity and allowTaskReparenting.
So, the user launches a legitimate application, but the code is executed from malicious code. Such code may request dangerous rights or display phishing pages. Since all this happens after clicking on the icon of a legitimate application, the user will assume that the request for the right or login screen was also created by this application, and is unlikely to suspect a spoofing.
According to Promon, StrandHogg does not require root access and works on all versions of Android, including the latest version of Android 10. In addition, experts checked the 500 most popular applications from the Google Play Store, and found that the processes of these applications could be compromised using StrandHogg and used to perform malicious actions.
Researchers write that they notified Google engineers about the problem last summer, however, the vulnerability was not fixed in the prescribed 90 days.