Cybersecurity researchers have discovered a vulnerability in Android in active use in the wild, called Strandhogg, that lets attackers gather sensitive and private information from the victim, without raising any flags.
The vulnerability, discovered by researchers from app security firm Promon, lets attackers mimic any app on the phone. Users would enter their credentials into fake banking apps and other apps or grant permissions to sensitive data such as photos or messaging.
Many Android vulnerabilities are found to work on a theoretical level, without being used in the wild, and Google is quick to correct them. For Strandhogg, Google didn’t take any steps to remediate the issue, despite being informed about it.
Strandhogg lets malicious apps, including many found in the Google Play Store, mimic the interface and usability of other official apps. Users would think they are entering their user name and password into banking apps, for example, only to offer those details directly to attackers.
Victims couldn’t tell anything was wrong, as there are very few indicators when users were compromised. Many of the apps taking advantage of the vulnerability could be downloaded from the Google Play Store, compounding the problem.
“The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play,” said the Promon researchers. “These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted.”
As far as the researchers from Promon can tell, Google removed the apps from the store but didn’t issue a patch. All Android versions are affected, and the permissions can be harvested on Android versions 6.0 onwards.
Unfortunately, victims can’t tell when this vulnerability is exploited on their phones, but there are a few indicators. People need to keep an eye out for the following issues:
- If an app asks for login even if you’ve already provided the credentials
- If the permissions pop-up doesn’t contain the app name
- If the app requires permissions not usually needed
- If the interface contains typos or unfamiliar elements
- If some buttons don’t work as they should
If the back button doesn’t work as intended