Monday, 13 July, 2020

New Unpatched Strandhogg Android Vulnerability Actively Exploited in the Wild

Cecil Davis | 04 December, 2019, 10:10

On Dec. 2, the Norwegian app security firm Promon revealed the discovery of a risky Android vulnerability called StrandHogg, which has reportedly infected all versions of Android and has put the top 500 most popular apps at risk.

Promon reported the Strandhogg vulnerability to the Google security team this summer and disclosed details today when the tech giant failed to patch the issue even after a 90-day disclosure timeline. "An attacker can ask for access to any permission, including SMS, photos, microphone, and Global Positioning System, allowing them to read messages, view photos, eavesdrop, and track the victim's movements", researchers John Høegh-Omdal, Caner Kaya, and Markus Ottensmann at app security provider Promon say.

It works by exploiting a problem in Android's multitasking system, enabling malicious app to overlay legitimate apps with fake login screens that fool users into handing over security credentials.

All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.

"Promon researchers say that it's hard for app makers to detect if attackers are exploiting StrandHogg against their own app (s), but that the risk can be partly mitigated by setting the task affinity of all activities to "(empty string) in the application tag of AndroidManifest.xml. "Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using", the Norwegian security company explains.

A new Android vulnerability has come to light and over 36 malicious apps are said to be exploiting it in the wild.

They found that 60 separate financial institutions were being targeted via apps that sought to exploit the loophole.

European Union calls on Malta PM to resign
Fenech had named Schembri, along with two ministers in the government, in a criminal probe into Caruana Galizia's murder. Caruana Galizia was killed when a bomb exploded in her rental vehicle on 16 October 2017 outside her home in Bidnija.

"The attack can be created to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims".

This vulnerability is "based on an Android control setting called taskAffinity, which allows any app, including the malicious ones, to freely assume any identity in the multitasking system they desire". However, while Google did remove the affected apps, it does not appear as if the vulnerability has been fixed for any version of Android.

In its report, the security firm further added that there's no reliable method of detecting StrandHogg exploit being abused on a device.

Promon hasn't listed the apps but mentions that none of them are available for download via the Play Store.

These particular apps have been removed by Google, but dropper apps often bypass Google Play's protections and trick users into downloading them by pretending to have the functionality of popular apps.

"We appreciate the researchers ['] work, and have suspended the potentially harmful apps they identified".