Vulnerability in Android allows attackers to mask malware as official applications

Security researchers at Promon Information Security Company have discovered a dangerous vulnerability in Android software that could allow cybercriminals to mask malware as official applications to steal logins and passwords for bank accounts.

What’s the impact?

• All top 500 most popular apps are at risk
• Real-life malware is exploiting the vulnerability
• 36 malicious apps exploiting the vulnerability was identified
• The vulnerability can be exploited without root access

Using the vulnerability, an attacker can request any permissions, including access to SMS messages, photos, microphone and GPS, which will allow him to read messages, view photos and track the victim’s movements. At the same time, the user will not suspect that he is granting permissions to the criminals instead of the legitimate application.

“The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims. Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using”, — say Promon researchers.

The StrandHogg attack, which uses the taskAffinity attribute in Android, allows “replacing” the icon of a legitimate application in such a way that when user clicks on it, a malicious application will start. Thus, when the user enters his credentials in the interface, all information will be sent to the attacker.

Read also: Malware in popular Android keyboard could cost users $18 million

According to experts, this technique was used in attacks on 60 financial organizations (no names are called). As part of the campaigns, various variants of the BankBot banking Trojan were used.

According to the researchers, StrandHogg is a unique malware because it allows carrying out complex attacks without having access to the root of the device. Besides, it uses the vulnerability in the multi-tasking Android system to carry out powerful attacks that allow malicious applications to mask themselves as any other application on the device.

“This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire”, — explain IS experts.

Researchers informed Google about the problem. The tech giant has already removed applications exploiting this vulnerability from the Google Play Store.