StrandHogg Mimics Legit Apps- ThreatWire Crosspost (Patreon)

By Shannon Morse, ThreatWire 

While the week of Thanksgiving usually comes with slow security news, we did  hear about an Android vulnerability that is being exploited in the wild. Researchers at the Norwegian security firm Promon, which specializes in app security, discovered this vulnerability was left unpatched and could let a malicious app steal banking and login credentials. To work, the vulnerability, called StrandHogg, would need to get exploited by a malicious app that a user installed on their device. When that app is opened, the malware could display a fake UI over launching the actual application. 

This can trick users into thinking they’re using legitimate applications, so if, for example, a user chooses to type in their username and password to log into an app, the malware could steal that data. An attacker could receive that data instantly from the device, letting them gain access to sensitive applications, like banking apps.

The attack could also let a malicious app do privilege escalation by tricking users into granting the incorrect permissions, like permissions to read texts, view location data, listen to phone calls or access the camera.

So how does it work? Well, StrandHogg is a flaw that happens during multitasking. Specifically, when a user is switching between tasks or processes for different apps or operations, the Android phone uses a feature called Task Reparenting, which puts the processing power towards whatever app is currently being used on the screen. StrandHogg uses Task Reparenting when the user clicks on a legitimate app but fires up code in the malicious app at the same time.

Again, the researchers said that they’ve seen this in use in the wild and it’s unlikely that a user would spot the malicious app. It doesn’t require root access and works on all versions of Android without any additional permissions. The malicious apps were being distributed through the Google Play store via downloader apps or droppers. A dropper is an app that pretends to have the functionality of a popular app like a game, utility, or photo editing app, but in reality install additional applications that can be malicious. A legitimate looking dropper could then install malware that took advantage of the StrandHogg vulnerability.

The researchers discovered 36 malicious apps using the Strandhogg vulnerability and being distributed on the Google Play store, which have now been removed. According to Promon, Google had 90 days to patch the vulnerability but has not done so, so the researchers went public about the issue.

Since these apps are already being used in the wild, keep an eye out for suspicious activity such as an app asking you to login after you’ve already logged in, weird permission popups that don’t include app names and ask for strange permissions, app glitches like buttons not working, and back button wonkiness. Downloading apps from known developers can also help. At time of writing, no comment has been made from Google about the flaw, so it’s not certain whether this will be fixed in a reasonable amount of time or if we’ll continue to see the attacks spread. The full report from the researchers at Promon is available in the provided links.

Support me on alternative platforms! https://snubsie.com/support

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire 

Shop ThreatWire Merch!

https://snubsie.com/shop

StandHogg:

https://thehackernews.com/2019/12/strandhogg-android-vulnerability.html

https://www.zdnet.com/article/android-new-strandhogg-vulnerability-is-being-exploited-in-the-wild/

https://promon.co/security-news/strandhogg/

https://www.androidcookbook.info/android-1-6-sdk/the-allowtaskreparenting-attribute.html