A new Android vulnerability has been exposed by the “Promon Security Researchers,” called ‘StrandHogg,’ which allows the malware to act as legitimate apps. Firstly, approx 36 malicious apps are exploiting the android operating system incl of the latest Android 10. Secondly, this vulnerability allows malicious apps to commandeer any genuine apps and ask them to perform malicious operations.
Report from Promon Security Researches says, The StrandHogg vulnerability is quite sneaky because “it does all the advanced attacks even if the device is not rooted, which raises the question then How?“. It uses an Android OS weakness in a multitasking system that allows the application to disguise as any other app present on the handset.
Impact & Risk of Strandhogg vulnerability on Android
- All the versions of Android Os are affected, including Android Q (10)
- Most popular applications are at risk
- A total of 36 malicious applications were found exploiting
- No need for root access to operate
Below is the list of the task the hackers can perform with the malicious apps:
- can take photos and record videos
- can read/send messages
- listen to you via microphone
- can make/ record phone calls
- get GPS location
- can access phone logs and modify it
- can get access to all private files/photos on the device.
This Android Vulnerability is “based on Android Control Setting, taskAffinity. It allows any app to disguise its identity to any app on the device freely, they desire”. Moreover, this is an OS-level vulnerability that hasn’t been fixed by Google in any versions of their Android OS to date. Sadly all Android devices are exposed to this security flaw.
StrandHogg was identified after a client in the financial sector provided Promon a data sample to analyze the security flaw. Moreover, this flaw trick users into granting nosy permissions to these malicious apps thinking it was a reliable app. These malicious apps were also able to generate fake login pages, i.e., phishing attacks inside those apps.
Although, Provon hasn’t listed any of those apps but mentions that none of them are available for download via the PlayStore.