A critical vulnerability in the Android operating system known as StrandHogg allowed malicious actors to make their malicious apps, including banking trojans, to display fake login screens over legitimate mobile banking apps and steal banking credentials of unsuspecting users.
The critical security vulnerability, commonly known as StrandHogg, was recently discovered by Norwegian mobile app security service provider Promon and was found to affect all of the top 500 most popular apps as it affected the latest versions of the Android mobile operating system, including Android 10.
The firm said that the StrandHogg vulnerability allowed malicious apps to “pose as any legitimate app, granting hackers access to private SMS’ and photos, steal victims’ log-in credentials, track movements, make and/or record phone conversations, and spy through a phone’s camera and microphone”.
StrandHogg vulnerability exploited by 36 malicious apps over the past three years
The most worrying fact about the vulnerability is that hackers can exploit it without obtaining root access and can also access devices’ phone logs, access location and GPS information, and take photos through phone cameras.They can do so as their malicious apps can be made to pose as legitimate apps and request permissions such as access to SMS, photos, microphone, and GPS.
After carrying out a detailed analysis of the StrandHogg vulnerability affecting Android devices, security firm Lookout confirmed that the vulnerability was exploited by as many as 36 malicious apps, including variants of the feared Bankbot banking trojan.
All these apps were not present on the Google Play Store but were installed in Android devices by other malicious apps that were downloaded by Android device users from the app store.
“A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions.
“While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android,” the firm noted.
According to Sam Bakken, senior product marketing manager at OneSpan, app developers can use various mobile app security technologies under the umbrella of in-app protection, including app shielding and runtime protection, to mitigate these windows of exposure resulting from security issues in both Android and iOS.
New variants of BankBot banking trojan are more sophisticated and difficult to detect
The BankBot banking trojan was first discovered by security researchers in 2017 and was promptly removed by Google from its Play Store. However, the malware returned to the Play Store a few months later, this time hiding inside the download package of a duplicate version of Jewel Star Classic, a popular Android game.
According to security researchers at ESET who discovered the new BankBot variant, it was “the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.”
Last year, security firm Trend Micro also warned in its Mobile Threat Landscape Report about a number of hackers using variants of the BankBot trojan to target users of banking apps after the malware’s source code was dumped by an unknown hacker on Dark Web forums.
“BankBot’s latest versions spoof 160 banks from 27 countries, with one sample alone downloaded 5,000 – 10,000 times. BankBot had anti-signature and anti-sandbox capabilities. It also carried out command-and-control (C&C) communication by abusing Firebase Cloud Messaging, Google’s cross-platform messaging back-end service, as a middleman between their C&C servers and their victim’s data,” the firm said.
Commenting on the exploitation of StrandHogg by variants of BankBot, Trend Micro said that vulnerabilities like these expose users to significant risk, because not only do they have to contend with malicious apps themselves, they also need to practice caution with trusted legitimate applications.
“Users should also be careful when browsing through third-party app stores where they could have a higher chance of downloading malicious apps because of a less stringent approval process.
“Applying patches and updates that address vulnerabilities as soon as they become available is the best viable defense against possible exploits, which should be practiced not only by users but by software and app developers as well,” the firm added.