Dnewscafe : Promon, a Norwegian firm specialising in In-App protection, found proof of this dangerous Android vulnerability, which they call ‘StrandHogg’, Old Norse for the Viking tactic of raiding coastal areas to plunder and hold people for ransom.
The vulnerability allows sophisticated malware attacks without the need for a device to be rooted to the Android operating system. Attackers exploit Android’s control setting called ‘taskAffinity’, which enables any app to freely assume any identity in Android’s multi-tasking system.
How does it attack android’s multi-tasking vulnerability?
According to a research by Penn State University in 2015, which theoretically described some aspects of the weakness, the Android task management mechanism was plagued by ‘severe security risks’.
“When abused, these convenient multi-tasking features can backfire and trigger a wide spectrum of ‘task hijacking attacks’,” researchers wrote.
They explained that when a user launches an app, an attacker can condition the system to display to the user a spoofed User Interface (UI) under attacker’s control instead of the real UI from the original app, without the user’s awareness. All apps on the user’s device are vulnerable, including the privileged system apps.
Google, at that time, dismissed the vulnerability’s severity.
Promon expanded the study and conducted research of real-life malware that exploits this serious flaw. It found that all of the top 500 most popular app (as ranked by 42Matters, an app intelligence company) are at risk.
According to Promon, the specific malware sample did not reside on Google Play, but was installed through several dropper apps/hostile downloaders distributed by Google Play. These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted.
Dropper apps are those that either have or pretend to have functionality of popular apps, but they also install additional apps to a device that can be malicious, or steal data.
How can I tell if an app is trying to scam me using StrandHogg?
As much as I hate to say it, common sense is your best guide. If something feels strange with an app you’re using, even if that app is one that you know is legitimate, you should be skeptical. Maybe don’t input your login and password (or payment information) if asked—and don’t give an app extra permissions if it asks for them out of the blue.
How can you be safe from this attack?
Currently, there is no effective block or even detection method against StrandHogg on the device itself. However, as an user, you should be alert to the following discrepancies in your device:
An app or service that you’re already logged into is asking for a login.
Permission popups that does not contain an app name.
Permissions asked from an app that shouldn’t require or need the permissions it asks for. For e.g., a calculator app asking for GPS permission.
Typos and mistakes in the user interface.
Buttons and links in the user interface that does nothing when clicked on.
Back button does not work like expected.