Security researchers from Norwegian firm Promon have warned of a dangerous vulnerability in Android mobile operating system that allows malicious apps to impersonate legitimate trusted apps already installed on a device. Masquerading as trusted apps, the malicious apps can request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, getting location and GPS information, reading text messages or harvesting login credentials. According to researchers from Lookout, they have found 36 apps exploiting this vulnerability, including versions of the BankBot banking trojan, which has been active since 2017 and has been frequently spotted infiltrating the Google Play Store.
The researchers said that the flaw, which has been dubbed ‘StrandHogg’, affects all versions of Android, including the most recent Android 10, and can be exploited without root access.
“The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app. An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements,” Promon said.
“By exploiting this vulnerability, a malicious app installed on the device can attack the device and trick it so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen.”
The issue resides in a function known as TaskAffinity, a multitasking feature that allows any app to assume any identity of other apps or tasks running in the multitasking environment. Malicious apps can exploit this functionality by setting the taskAffinity on one or more of its activities to match the packageName of any third-party app.
“Then, by either combining with allowTaskReparenting=”true” in manifest, or by launching the activity with intent-flag of Intent.FLAG_ACTIVITY_NEW_TASK the malicious activity will be placed within and on top of the target’s task.Thus the malicious activity hijacks the target’s task. The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible,” the researchers explained.
A successful attack only requires the malicious app to disguise itself as a legitimate target application. Moreover, it is even “possible to hijack such a task before the target app has even been installed”.
The researchers have conducted research of real-life malware that exploits this vulnerability and found all of the top 500 most popular apps are at risk. Neither Promon nor Lookout disclosed the names of the malicious apps they identified.
The researchers said they reported the Stranghodd vulnerability to Google this summer, and while Google removed the impacted apps from Google Play, to their knowledge the issue has not yet been addressed in any version of Android.
Unfortunately, it is not possible to detect the exploitation of the Stranghodd flaw on a user’s device. As Promon explained, there is no effective block or even reliable detection method against StrandHogg on the device itself. Victims may notice discrepancies during the use of their device such as:
An app or service that you’re already logged into is asking for a login.
Permission popups that does not contain an app name.
Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
Typos and mistakes in the user interface.
Buttons and links in the user interface that does nothing when clicked on.
Back button does not work like expected.
“Closing the app from the Recents screen can be effective – however, it is possible for an attacker to also circumvent this. It’s possible to connect the phone via USB, and running adb shell dumpsys activity activities which will give you a technical list of all visible screens, and what task they currently are in, along with which app they actually belong to. However, this method requires some technical knowledge and knowing what to look for,” the Promon research team said.