Vulnerability in fully patched Android phones under active attack by bank thieves

A vulnerability in millions of fully patched Android phones is being actively exploited by malware designed to clear the bank accounts of infected users, researchers said Monday.

The vulnerability could allow malicious apps to act as legitimate apps that have already installed targets and will start to trust, researchers from security firm Promon reported in a message. The malicious apps are run under the guise of already installed trusted apps and can then request permission to perform sensitive tasks such as recording audio or video, taking photos, reading text messages or logging in data for phishing. Goals that click Yes on the request are compromised.

Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they have found 36 apps that abuse spoofing. The malicious apps contain variants of the bankjan trojan. BankBot has been active since 2017 and apps from the malware family have been repeatedly caught on the Google Play Market.

The vulnerability is most serious in versions 6 to 10, which (according to Statista) are good for around 80 percent of Android phones worldwide. Attacks against those versions cause malicious apps to ask for permission while acting as legitimate apps. There is no limit to the rights that these malicious apps can look for. Access to text messages, photos, the microphone, camera and GPS are some of the permissions that are possible. The only defense of a user is to click “no” on the requests.

An affinity for multitasking

The vulnerability is found in a feature known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks performed in the multitasking environment. Malicious apps can use this functionality by setting TaskAffinity for one or more of its activities to a package name of a trusted third-party app. By combining the forged activity with an additional activity allowTaskReparenting or by starting the malicious activity with an Intent.FLAG_ACTIVITY_NEW_TASK, the malicious apps are placed inside and on top of the targeted task.

“This is how malicious activity cuts the target,” wrote Promon researchers. “The next time the target app is launched from Launcher, the hijacked task will be brought forward and the malicious activity will be visible. The malicious app then only needs to appear as the target app to launch advanced attacks against the user It is possible to hijack such a task before the target app is even installed. “

Promon said that Google has removed malicious apps from the Play Market, but so far the vulnerability does not seem to have been resolved in all versions of Android. Promon calls the vulnerability ‘StrandHogg’, an old Norwegian term for the Viking tactic of looting coastal areas to plunder people and hold them for ransom. Neither Promon nor Lookout identified the names of the malicious apps. That omission makes it difficult for people to know if they are or were infected.

Google representatives have not responded to questions about when the issue will be fixed, how many Google Play apps have taken advantage of it, or how many end users have been affected. The representatives only wrote:

“We appreciate that the researchers work and have suspended the potentially harmful apps that they have identified. Google Play Protect detects and blocks malicious apps, including apps that use this technique. In addition, we continue to investigate the ability of Google Play Protect to improve protection. users against similar problems. “

StrandHogg is the greatest threat to less experienced users or users with cognitive or other types of disabilities that make it difficult to pay attention to subtle behavior of apps. Yet there are several things that can alert users to detect malicious apps that attempt to exploit the vulnerability. Suspicious signs include:

  • An app or service to which you have already registered requires a login.
  • Authorization pop-ups that do not contain an app name.
  • Permissions requested from an app for which no permissions are required or required. For example a calculator app that asks for GPS permission.
  • Typos and errors in the user interface.
  • Buttons and links in the user interface that do nothing when clicked.
  • Back button does not work as expected.

Tip from a czech banks

Promon researchers said they had identified StrandHogg after being told by an unnamed Eastern European financial institution security company that several banks in the Czech Republic were reporting that money had disappeared from customer accounts. The partner gave Promon an example of suspicious malware. Promon eventually discovered that the malware was exploiting the vulnerability. Promon partner Lookout later identified the 36 apps that exploit the vulnerability, including BankBot variants.

Monday’s post did not say how many financial institutions were the total target.

The malware example that Promon has analyzed has been installed through various droppers apps and downloaders that have been distributed on Google Play. Although Google has removed them, it is not uncommon for new malicious apps to find their way to the service managed by Google. Readers are again reminded to be very suspicious of Android apps that are available both inside and outside of Google Play. People should also pay close attention to permissions requested by an app.

Similar Posts

Leave a Reply