Android 'spoofing' bug helps targets bank accounts

Joanna Estrada

December 3, 2019

There's a new Android vulnerability which has the best disguise of posing as legitimate apps. Security researchers from Promon have discovered the "Strandhogg" vulnerability which has affected all Android versions including the latest Android 10.

Called Strandhogg, the vulnerability can be used to trick users into thinking they are using a legitimate app but are actually clicking on an overlay created by the attackers. In all it found that 60 financial institutions had been targeted with various apps that exploited the vulnerability.

StrandHogg is "unique because it enables sophisticated attacks without the need for a device to be rooted, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device", says Promon.

The attacker can request permissions which would be natural for different apps to request, in turn lowering suspicion from victims.

Once the malicious app, disguised as a normal app, is delivered on the targeted phone, it exploits the bug and begins to display fake overlays on top of legit apps.

Promon spotted the vulnerability after analyzing a malicious banking Trojan app that hijacked bank accounts of several customers in the Czech Republic and stole their money. An attacker can ask for access to any permission, including SMS, photos, microphone, and Global Positioning System, allowing them to read messages, view photos, eavesdrop, and track the victim's movements.

"We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information", Promon CTO Tom Lysemose Hansen said.

Despite this, users might be able to notice various discrepancies while using their smartphones such as apps asking them to log in again, permission pop-ups without app names, apps asking for permissions they don't need, typos and UI mistakes, as well as buttons that don't work or don't work as expected.

In a statement, Google said: "We appreciate the researchers' work, and have suspended the potentially harmful apps they identified".

Promon reported the Strandhogg vulnerability to the Google security team this summer and disclosed details today when the tech giant failed to patch the issue even after a 90-day disclosure timeline.