A new bug was found in the Android operating system that permits malicious apps to hijack legitimate app, and perform malicious operations on its behalf. It was found by the security researchers from Promon, a Norwegian firm specialized in in-app security protections.
According to a report published by the research team, the vulnerability can be used to trick users into allowing intrusive permissions to malicious apps when they tap and interact with legitimate ones.
The vulnerability which is named as StrandHogg can also be used to show fake login (phishing) pages when taping on a legitimate application.
Promon stated that this security flaw is being exploited in the wild by malware groups. The company found the StrandHogg vulnerability after it was informed by an Eastern European security company, that several banks in the Czech Republic had reported money disappearing from customer accounts.
Promon supplies app security support to this Eastern European company who had provided a sample for its researchers to analyze. It was in this sample that they discovered the StrandHogg security flaw.
Promon then partnered with Lookout, a US-based mobile security firm, who confirmed the vulnerability, and discovered 36 apps that were currently exploiting it in the wild.
Even though the names of all the 36 apps that used the StrandHogg vulnerability was not mentioned, the company stated that none of these apps were available directly through the official Play Store.
These 36 apps were installed on users’ devices as second-stage payloads. Initially the users installed other malicious apps from the Play Store, which then downloaded the StrandHogg-infected apps for more intrusive attacks.
Working of Strandhogg
The technical details of the StrandHogg vulnerability are easy to understand even for non-technical users.
StrandHogg is a bug in the OS component that handles multitasking which is a mechanism that lets the Android operating system to run multiple processes at once and switch between them once an app goes in or out of the users’ view.
A malicious app installed on an Android smartphone can exploit the StrandHogg bug to trigger malicious code when the user starts another app through a feature called “task reparenting.”
Normally a user taps on a legitimate app, but executes code from a malicious one. As these actions occur after the icon tap, the user will believe the permissions or login screen have been created by the legitimate app, rather than the malicious one. So, they interact with these elements without any concern.
The researchers believe that this makes StrandHogg attacks almost impossible to detect by a user. Moreover, a StrandHogg attack doesn’t need root access to run, and works on all Android OS versions, including the latest Android 10 release.
The Promon researchers tested the top 500 most popular Android apps available on the Google Play Store and found that all apps’ processes can be hijacked to perform malicious action via a StrandHogg attack.
The researchers have contacted the Android project of the vulnerability in the multitasking component over the summer, but Android OS developers have not fixed the issue after more than 90 days.
The company said that the bug was named StrandHogg after the old Norse language word that described the Viking tactic of raiding coastal areas to plunder and hold people for ransom.