StrandHogg vulnerability threatens 500 of the most popular Android apps
- Listen to the user through the microphone
- Take photos using the camera
- Make or record phone conversations
- Phish login credentials
Now that we understand the severity of this vulnerability, let's take a closer look at how this vulnerability is exploited.
Who is affected by the StrandHogg vulnerability?
According to Promon, the StrandHogg vulnerability affects all Android device versions right up to the latest version, Android 10.0, though the permission harvesting capabilities are available only from Android 6.0 and above.
Promon was also able to identify 36 malicious apps on the Play Store that exploited this vulnerability. Once one of these is present on a device, it can masquerade as any of the top 500 most popular apps (as ranked by app intelligence company 42Matters).
How does the StrandHogg vulnerability work?
This vulnerability is unique because, unlike other vulnerabilities detected in the past, it enables sophisticated attacks without root access to the devices. It uses the weakness in the multi-tasking capabilities of Android and allows the malicious app to disguise itself as a legitimate app.
When the user clicks on the legitimate app icon, for example, Facebook or Instagram, the malicious app takes the place of the app and requests permissions that seem natural for the legitimate app. This makes it challenging for the user to identify that the permissions are being granted to the malicious app instead of the authentic app they think they're using.
Image credits: Promon
This vulnerability can further be leveraged to obtain sensitive details like bank account passwords or credit card information.
How can a user identify if the StrandHogg vulnerability is exploited on their device?
While there is no reliable method to determine if StrandHogg is actively exploited on a device, users can look for certain discrepancies while accessing apps on their devices. Some of these behavioral changes can help differentiate the malicious apps from authentic apps:
- An app prompting the user to log in despite already being logged in
- Permission requests that are not necessary for the functioning of the app
- The back button doesn't function as expected
- Apps with links that don't perform any action
- Blacklist malicious apps from devices to ensure these apps are not downloaded on corporate devices.
- Silently distribute apps to devices while restricting users from installing any other apps on corporate-owned devices.
- Preconfigure app permissions while distributing apps to devices, and auto-deny any new permissions requested by apps.
- Prevent unauthorized actions on single-purpose devices by locking them down to required apps only.
- Mandate that Google Play Protect is enabled on devices to ensure apps are regularly scanned for malware.
- Containerize corporate data on devices to ensure personal apps cannot access corporate data.
- Enroll only devices that meet your compliance standards to prevent rooted and jailbroken devices from accessing corporate data.
- Automate OS updates on devices to ensure all security patches are updated on devices.
Comments