StrandHogg vulnerability threatens 500 of the most popular Android apps

Earlier this month, security researchers at Promon, a Norwegian firm that specializes in in-app security, uncovered a unique vulnerability in Android devices that allows malicious apps to masquerade as legitimate apps and prompt for intrusive permissions that allow them to:
  • Listen to the user through the microphone
  • Take photos using the camera
  • Make or record phone conversations
  • Phish login credentials
And a lot more.One of the actions that can be particularly dangerous for users and enterprises alike is the ability to read and send SMS messages. Hackers will jump at any opportunity to monetize an available vulnerability, and this one is no exception. With most financial institutions adopting two-factor authentication (2FA) to secure transactions, SMS plays a key role, since users receive the second factor of authentication, the one-time password (OTP), as an SMS message. In fact, Promon discovered the StrandHogg vulnerability when customers of several banks in Czechia reported losing money even after authenticating through a second factor.

Now that we understand the severity of this vulnerability, let's take a closer look at how this vulnerability is exploited.

Who is affected by the StrandHogg vulnerability?

According to Promon, the StrandHogg vulnerability affects all Android device versions right up to the latest version, Android 10.0, though the permission harvesting capabilities are available only from Android 6.0 and above.

Promon was also able to identify 36 malicious apps on the Play Store that exploited this vulnerability. Once one of these is present on a device, it can masquerade as any of the top 500 most popular apps (as ranked by app intelligence company 42Matters).

How does the StrandHogg vulnerability work?

This vulnerability is unique because, unlike other vulnerabilities detected in the past, it enables sophisticated attacks without root access to the devices. It uses the weakness in the multi-tasking capabilities of Android and allows the malicious app to disguise itself as a legitimate app.

When the user clicks on the legitimate app icon, for example, Facebook or Instagram, the malicious app takes the place of the app and requests permissions that seem natural for the legitimate app. This makes it challenging for the user to identify that the permissions are being granted to the malicious app instead of the authentic app they think they're using.

Image credits: Promon

This vulnerability can further be leveraged to obtain sensitive details like bank account passwords or credit card information.

How can a user identify if the StrandHogg vulnerability is exploited on their device?

While there is no reliable method to determine if StrandHogg is actively exploited on a device, users can look for certain discrepancies while accessing apps on their devices. Some of these behavioral changes can help differentiate the malicious apps from authentic apps:

  • An app prompting the user to log in despite already being logged in
  • Permission requests that are not necessary for the functioning of the app
  • The back button doesn't function as expected
  • Apps with links that don't perform any action
Is a fix available for the StrandHogg vulnerability?Google has confirmed that it has taken steps to address the vulnerability and has removed the 36 identified malicious apps from the Google Play Store. It added that Google Play Protect security suite identifies harmful apps on the Play Store and removes them from the store and users' devices. However, the vulnerability itself has yet to be patched, meaning hackers can continue to add malicious apps to the Play Store that leverage this vulnerability.How can you protect your organization's devices from similar cyberattacks?Deploying a mobile device management (MDM) solution is the first step to fortify security against cyberattacks in organizations. MDM solutions provide various proactive configurations to prevent these attacks on devices. Here's how an MDM solution can help:
  1. Blacklist malicious apps from devices to ensure these apps are not downloaded on corporate devices.
  2. Silently distribute apps to devices while restricting users from installing any other apps on corporate-owned devices.
  3. Preconfigure app permissions while distributing apps to devices, and auto-deny any new permissions requested by apps.
  4. Prevent unauthorized actions on single-purpose devices by locking them down to required apps only.
  5. Mandate that Google Play Protect is enabled on devices to ensure apps are regularly scanned for malware.
  6. Containerize corporate data on devices to ensure personal apps cannot access corporate data.
  7. Enroll only devices that meet your compliance standards to prevent rooted and jailbroken devices from accessing corporate data.
  8. Automate OS updates on devices to ensure all security patches are updated on devices.
ManageEngine Mobile Device Manager Plus allows organizations to automate all of the above and a lot more, thereby protecting your organization against cyberattacks. Give Mobile Device Manager Plus a try, free for 30-days!