Cybersecurity researchers have discovered a vulnerability
in Android in active use in the wild, called Strandhogg, that lets attackers
gather sensitive and private information from the victim, without raising any
flags.
The vulnerability, discovered by researchers from app
security firm Promon, lets attackers mimic any app on the phone. Users would
enter their credentials into fake banking apps and other apps or grant
permissions to sensitive data such as photos or messaging.
Many Android vulnerabilities are found to work on a
theoretical level, without being used in the wild, and Google is quick to
correct them. For Strandhogg, Google didn’t take any steps to remediate the
issue, despite being informed about it.
Strandhogg lets malicious apps, including many found in
the Google Play Store, mimic the interface and usability of other official
apps. Users would think they are entering their user name and password into banking
apps, for example, only to offer those details directly to attackers.
Victims couldn’t tell anything was wrong, as there are
very few indicators when users were compromised. Many of the apps taking
advantage of the vulnerability could be downloaded from the Google Play Store,
compounding the problem.
“The specific malware sample which Promon analyzed
did not reside on Google Play but was installed through several dropper
apps/hostile downloaders distributed on Google Play,” said the Promon researchers.
“These apps have now been removed, but in spite of Google’s Play Protect
security suite, dropper apps continue to be published and frequently slip under
the radar, with some being downloaded millions of times before being spotted
and deleted.”
As far as the researchers from Promon can tell, Google
removed the apps from the store but didn’t issue a patch. All Android versions
are affected, and the permissions can be harvested on Android versions 6.0
onwards.
Unfortunately, victims can’t tell when this vulnerability
is exploited on their phones, but there are a few indicators. People need to
keep an eye out for the following issues:
- If an app asks for login even if you’ve already
provided the credentials - If the permissions pop-up doesn’t contain the
app name - If the app requires permissions not usually
needed - If the interface contains typos or unfamiliar
elements - If some buttons don’t work as they should
If the back button doesn’t work as intended