Few days ago Researchers from the security company Promon released by posting on your blog a vulnerability affecting millions of Android phones. This vulnerability found is actively exploited by malicious software designed to drain the bank accounts of infected users.
This vulnerability allows malicious applications to pretend to be legitimate applications that the targets have already installed and trust. This vulnerability allows a malicious app to request permissions while posing as a legitimate application. An attacker can request access to all permissions, including SMS, photos, microphone, and GPS, allowing him to read messages, view photos, listen to conversations, and track the victim's movements.
By exploiting this vulnerability, a malicious application installed on the device can trap the user, therefore, when you click on the icon of a legitimate application, it is actually a malicious version that appears on the screen.
When the victim enters their login information on this interface, the confidential information is immediately sent to the attacker, who can then connect and control applications that may contain sensitive information.
The vulnerability was called StrandHogg in reference to an old Norse that designated Viking tactics to attack coastal areas to loot and detain people for rescue.
“StrandHogg, is unique because it allows sophisticated attacks without having to root a device, it uses a weakness of the Android multitasking system to launch powerful attacks that allow malicious applications to pretend to be any other application on the device.
“Promon has been researching real-world malware that exploits this serious vulnerability and has found that the 500 most popular applications (ranked by the 42 Subject Barometer) are vulnerable, with all versions of Android affected.
For its part, Lookout, a mobile security provider and partner of Promon, announced that it found 36 applications that exploited the vulnerability identity theft. The malicious apps included variants of the BankBot banking Trojan. BankBot has been active since 2017, and malware apps have been found multiple times on the Google Play market.
The vulnerability is more severe in versions 6 to 10, which according to account for approximately 80% of Android phones in the world. Attacks in these versions allow malicious applications to request permissions while presenting themselves as legitimate applications.
There is no limit to the permissions that these malicious applications can search. Access to text messages, photos, microphone, camera and GPS are some of the possible permissions. A user's only defense is to click "no" to requests.
The vulnerability is in a function known as TaskAffinity, a multitasking function that allows applications to assume the identity of other applications or tasks running in multitasking environment.
Malicious applications can exploit this feature defining TaskAffinity for one or more of your activities to match the package name of a trusted third-party application.
Promon said Google has removed apps malicious from the Play Sotre, but so far the vulnerability seems to have not been fixed on all versions of Android. Google representatives did not respond to questions about when the vulnerability will be fixed, the number of Google Play apps being exploited, or the number of end users affected.
StrandHogg poses the biggest threat to less experienced usersso those with cognitive or other disabilities that make it difficult to pay close attention to subtle behaviors in apps.
Still, there are several things that users can do to detect malicious apps. trying to exploit the vulnerability. Suspicious signs include:
- An application or service that you are already connected to requires you to sign in.
- Authorization pop-ups that do not contain the name of an application.
- The requested permissions of an application that should not require or require the requested permissions. For example, a calculator application requesting GPS authorization.
- Typographical errors and errors in the user interface.
- Buttons and links in the user interface that do nothing when clicked.
- Back button not working as expected.
Source: https://promon.co