StrandHogg Malware Ravages Fully Patched Android Devices, Impersonates Popular Apps

Android Army
Security researchers say millions of Android phones are susceptible to a newly discovered vulnerability that, if exploited, could allow an attacker to spy on users through the phone's microphone, take photos with the phone's camera, read and send SMS text messages, make and record phone conversations, phish login credentials, and a host of other nefarious deeds.

The malware is called StrandHogg, and there are couple of things that make it extra concerning. One is that all versions of Android are affected, including Android 10, which is the latest build. And secondly, researchers say StrandHogg allows real-life malware to pose as legitimate apps, with users unaware they are being targeted.

"The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app. An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements," researchers John Høegh-Omdal, Caner Kaya, and Markus Ottensmann at app security provider Promon say.

StrandHogg Malware Is Actively Being Exploited On Android Devices

This is not a theoretical threat either, unfortunately. The researchers say they confirmed with Promon's partner Lookout that at least 36 malicious apps are exploiting the vulnerability in the wild (though none of those are available in Google Play). Furthermore, they found during testing that each of the top 500 apps are vulnerable to StrandHogg.

StrandHogg Slide
Click to Enlarge (Source: Promon)

In addition to the threats listed above, an attacker could leverage StrandHogg to access a user's private photos and files, get location and GPS information, access a user list of contacts, and sift through phone logs.

"By exploiting this vulnerability, a malicious app installed on the device can attack the device and trick it so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen. When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps," the researchers say.

The researchers further note that sophisticated attacks by way of StrandHogg do not require the device to be rooted. Instead, it uses a vulnerability in the multi-tasking system of Android (called "taskAffinity") to carry out malicious activities.

Just as concerning, apps that leverage StrandHogg have been known to slip into Google Play. Google's been good at rooting them out and removing them, but it is an ongoing battle, the researchers say.

"We appreciate the researchers['] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate in order to improve Google Play Protect's ability to protect users against similar issues," Google told Arstechnica.

As always, users should be cautious about what apps they download and from where, what permissions the apps are requesting, and be on the lookout for any suspicious activity.