Dubbed StrandHogg, an old Norse word for a Viking raiding tactic, the vulnerability was spotted in the wild after a specialist financial services security company that partners with Promon reported customers of several banks in Czechia had lost money to it.
On examining a sample of the suspected malware, it was able to identify the vulnerability that enabled it to steal from bank accounts. Further research by another partner business, Lookout, confirmed at least 36 other malicious apps exploiting the vulnerability, among them variants of the widespread BankBot trojan.
“We have already seen attackers exploiting StrandHogg for monetary gains,” said Promon chief technology officer (CTO) Tom Lysemose Hansen.
“If left unaddressed, the potential impact of this could be unprecedented in terms of scale and the amount of damage caused, because most apps are vulnerable by default and all Android versions are affected.”
StrandHogg affects all versions of Google’s mobile operating system, including Android 10, the most recent release, and both rooted and unrooted devices.
It exploits a flaw in Android’s multitasking system that allows malicious apps to masquerade as virtually any other app present on the target device. The exploit is based on the taskAffinity Android control setting, which allows any app to feely assume any identity in the multitasking system that it desires.
This means a malicious app can ask for various permissions while pretending to be a legitimate app. It obfuscates itself by asking for permissions that would be natural for different targeted apps to request so it can lower the user’s defences.
It can also trick the device so that when the app icon of a legitimate app is clicked, a malicious version is displayed instead, which steals login credentials and other sensitive information.
Promon said its research into StrandHogg significantly expanded on research carried out at Penn State University in the US four years ago, which theoretically identified a number of aspects of the vulnerability. However, it claimed Google had waved this off at the time, which enabled StrandHogg to be developed and exploited in practice.
A Google spokesperson said that it had now moved to mitigate the ability of cyber criminals to exploit StrandHogg: “We appreciate the researchers’ work and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique,” they said.
“Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
Promon pointed out that the specific sample it tested had not been downloaded from Google Play itself, rather installed through dropper apps distributed on the Android store – the apps that Google has now suspended.
It added that even so, malicious apps continue to be published and are still able to slip under the radar, so caution is advised.
OneSpan senior product marketing manager Sam Bakken said: “As you might imagine, criminals salivate over the monetisation potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS. Promon’s recent findings make the vulnerability as severe as it’s ever been.
“Consumers and app developers alike were exposed to various types of fraud as a result for four years. In addition, now, at least 36 examples of malware attacking the vulnerability as far back as 2017 have been identified. This goes to show you that attackers are aware of the vulnerability and actively exploiting it to steal banking credentials and money,” he said.
Bakken pointed out a number of steps that companies can take during the app design process to ensure that developers are able to build security into their products at the design stage.
These include offering secure code education; making regular security testing static and dynamic analysis of apps a workflow item; using only trusted software development kits (SDKs) with strong authentication that ensures data is protected both at rest and in transit; and using more advanced techniques such as app shielding and runtime protection, to give extra protection to apps in the wild.
“Various mobile app security technologies under the umbrella of in-app protection, including app shielding and runtime protection make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS,” said Bakken. “Gartner forecasts that by 2022, at least 50% of successful attacks against clickjacking and mobile apps could have been prevented using in-app protection.”