New Android bug focuses on bank apps in the Google Play Store
Tagged as ‘StrandHogg’, the vulnerability that the mobile security provider Promon has discovered, hackers can give access to photos, contacts, phone logs and more from users.
Android 10: the five best new functions explained
Android 10 has brought several new features, along with many additional features that will be rolled out in the coming weeks. Beth Mauder from ZDNet breaks down five of her favorite functions.
Android apps in Google’s Play Store have often been the target of malware designed to infect mobile devices and steal personal information from users.
Google is then placed in a position to clean up to remove the malicious apps and then repeat the process the next time such fraudulent apps appear.
The latest vulnerability to malware is one that affects all Android devices by targeting bank apps in an effort to compromise user data and access financial accounts.
SEE: Security of mobile devices: a guide for business leaders (TechRepublic Premium)
Discovered by Promon, the StrandHogg vulnerability presents malicious apps as legitimate apps, allowing hackers to access private text messages and photos, steal login details, track user movements, record phone conversations, and spy on people from the phone’s camera and microphone, according to a Promon press release from Monday.
Promon security researchers analyzing real malware exploiting this vulnerability discovered that all 500 most popular apps were compromised and affected all versions of Android, including Android 10. As ranked by the app intelligence company 42 Matters, the list of 100 contains mainly popular and general apps in all types of categories
Specifically, Promon’s partner and security company, Lookout, confirmed 36 malicious apps that were exploiting the error. Among them were variants of the BankBot banktrojan, which was already seen in 2017 and is one of the most common bank Trojan horses.
In response to Promon’s findings, Google has since removed the identified malicious apps from the Play Store, according to a statement to BBC News.
“We appreciate the researchers’ work and have suspended the potentially harmful apps that they have identified,” said Google in the statement. “In addition, we continue to investigate to improve Google Play Protect’s ability to protect users from similar issues.”
On an overview page, Promon provided information about StrandHogg’s vulnerability, explaining its impact and the various ways in which hackers can abuse it.
As Promon describes it, StrandHogg leaves a malicious app that acts as a legitimate app to request certain permissions, including access to text messages, photos, GPS, and the microphone.
Unsuspecting users approve the requests, thinking that they give permission to a legitimate app and not to one that is fraudulent and malicious. When the user enters the login data in the app, that information is immediately sent to the attacker, who can then log in and operate sensitive apps.
The vulnerability itself lies in Android’s multitasking system, said Promon marketing and communications director, Lars Lunde Birkeland. The exploit is based on an Android control setting called “taskAffinity,” which allows any app, including malicious people, to freely adopt any identity in the multitasking system, Birkeland said.
A specific malware sample analyzed by Promon was not on Google Play, but was installed instead through dropper apps and hostile downloaders that were available in Google’s mobile app store, according to Promon. Such apps have or pretend to have the functions of games, utilities and other popular apps, but actually install additional apps that can implement malware or steal user data.
“We have tangible evidence that attackers are exploiting StrandHogg to steal confidential information,” said Promon’s chief technology officer, Tom Lysemose Hansen, in a statement on the overview page. “The potential impact of this can be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected.”
Although Google has removed the 36 operated apps, Birkeland said that to the best of Promon’s knowledge, the vulnerability itself has not been resolved in a version of Android, including Android 10. Google is also trying to secure its app store through its Google Play Protect security suite, but dropper apps continue to appear in the store. They often slip under the radar and these apps can be downloaded millions of times before they are caught and deleted.
“Google Play is usually considered a safe haven for downloading software,” Birkeland said. “Unfortunately, nothing is 100% secure and from time to time malware distributors manage to sneak their apps to Google Play.”
Sam Bakken, a senior product marketing manager at the anti-fraud company OneSpan, also weighed the threat of such vulnerabilities as StrandHogg.
“As you can imagine, salivary criminals drool over the potential to generate income in stolen mobile banking and access to one-time passwords sent via SMS,” Bakken said in a statement.
“Promon’s recent findings make vulnerability as serious as it has ever been. As a result, consumers and app developers were exposed to various types of fraud for four years,” he continues. “In addition, at least 36 examples of malware attacking the vulnerability have already been identified in 2017 – some variants of the infamous Trojan Bankbot. This shows that attackers are aware of the vulnerability and actively exploit it to steal bank details and money.”
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Register today
Also see
The greater the market share, the greater the target, and that means that Android is ripe for malware. Add an app store without much research and you have a bad situation.
There are many antivirus apps available for Android and, like everything in the Google Play Store, caution is required. Antivirus apps need a lot of access to your phone, so make sure you fully trust what you want to install.
If you are wondering which apps you can trust, take a look at these five and some of the features that make them unique.
iStock / Jirsak