Android apps in Google’s Play Store have frequently been the target of malware designed to infect mobile devices and steal personal information from users.
Google is then put in the position of playing clean up to remove the malicious apps and then repeating the process the next time such fraudulent apps appear.
The latest malware vulnerability is one that affects all Android devices by targeting banking apps in an attempt to compromise user data and gain access to financial accounts.
Discovered by Promon, the vulnerability dubbed StrandHogg allows malicious apps to pose as legitimate ones, giving hackers access to private SMS messages and photos, steal login credentials, track the movements of users, record phone conversations, and spy on people through the phone’s camera and microphone, according to a Promon press release posted on Monday.
Security researchers at Promon analyzing real malware that exploited this vulnerability discovered that all of the top 500 most popular apps had been at risk, affecting all versions of Android, including Android 10. As ranked by the app intelligence company 42 Matters, the list of 100 includes mostly popular and general apps across all types of categories
Specifically, Promon’s partner and security firm, Lookout, confirmed 36 malicious apps that exploited the flaw. Among them were variants of the BankBot banking trojan, which has been seen as early as 2017 and is one of the most widespread banking trojans around.
In response to Promon’s findings, Google has since removed the identified malicious apps from its Play store, according to a statement sent to BBC News and TechRepublic.
“We appreciate the researchers work, and have suspended the potentially harmful apps they identified,” Google said in its statement. “Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
In an overview page, Promon provided details on the StrandHogg vulnerability, explaining its impact and the different ways that hackers can exploit it.
As Promon describes it, StrandHogg allows a malicious app masquerading as a legitimate one to ask for certain permissions, including access to SMS messages, photos, GPS, and the microphone.
Unsuspecting users approve the requests, thinking they’re granting permission to a legitimate app and not one that’s fraudulent and malicious. When the user enters the login credentials within the app, that information is immediately sent to the attacker, who can then sign in and control sensitive apps.
The vulnerability itself lies in the multitasking system of Android, Promon’s marketing and communication director, Lars Lunde Birkeland, said. The exploit is based on an Android control setting called “taskAffinity,” which allows any app, including malicious ones, to freely assume any identity in the multitasking system, Birkeland said.
A specific malware sample analyzed by Promon was not on Google Play but was instead installed through dropper apps and hostile downloaders available on Google’s mobile app store, according to Promon. Such apps either have or pretend to have the features of games, utilities, and other popular apps but actually install additional apps that can deploy malware or steal user data.
“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” Promon’s chief technology officer, Tom Lysemose Hansen, said in a statement on the overview page. “The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected.”
Though Google removed the 36 exploited apps, Birkeland said that to the best of Promon’s knowledge, the vulnerability itself has not been fixed in any version of Android, including Android 10. Google also tries to safeguard its app store through its Google Play Protect security suite, but dropper apps continue to appear on the store. Often slipping under the radar, these apps can be downloaded millions of times before they’re caught and removed.
“Google Play is usually considered a safe haven for downloading software,” Birkeland said. “Unfortunately, nothing is 100% safe, and from time to time malware distributors manage to sneak their apps into Google Play.”
Sam Bakken, a senior product marketing manager with the anti-fraud company OneSpan, also weighed in on the threat posed by such vulnerabilities as StrandHogg.
“As you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS,” Bakken said in a statement.
“Promon’s recent findings make the vulnerability as severe as it’s ever been. Consumers and app developers alike were exposed to various types of fraud as a result for four year,” he continued. “In addition, now, at least 36 examples of malware attacking the vulnerability as far back as 2017 have been identified—some being variants of the notorious Bankbot Trojan. This goes to show you that attackers are aware of the vulnerability and actively exploiting it to steal banking credentials and money.”