A vulnerability in millions of fully encrypted Android phones has been exploited by malware designed to steal the bank accounts of infected users, researchers said Monday.
The vulnerability allows malicious applications to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Operating under the guise of trusted applications already installed, malicious applications can then request permissions to perform suspicious activities, such as recording audio or video, taking photos, reading text messages or credentials. login yourself. Targets who click yes to the question are then attacked.
Researchers include Lookout, a mobile security provider and a Promon partner, reported on Monday that they found 36 applications exploiting the spoofing vulnerability. Malware includes variants of the BankBot banking trojan. BankBot has been active since 2017, and there are applications from the malware family drink again and again infiltrating Google Play Product.
Impotence is most important in parts 6 through 10, which according to Statista accounts for about 80% of Android phones worldwide. Attacks to those features allow malicious applications to request permissions while posing as legitimate applications. There is no limit to the permissions malicious applications can have. Access to text messages, photos, microphone, camera, and GPS are some of the possible permissions. A user’s only security is to click “No” to the questions.
Compatibility for multitasking
The weakness is in the work we know TaskAffinity, a multitasking feature that allows applications to assume the identity of other applications or tasks running in the multitasking environment. Malicious applications can exploit this functionality by setting the TaskAffinity for one or more of your tasks to match the package name of a trusted third-party application. By either combining a spoofed activity with an additional activityIndicator activity or launching a malicious activity with an Intent.FLAG_ACTIVITY_NEW_TASK, malicious applications will be included in and on top of the targeted activity.
“Therefore the aversive activity suppresses the activity of the target,” the Promon researchers wrote. “After the target application is launched from Launch, the hijacking task will be brought to the fore and the malicious activity will appear. The malicious application then only needs to appear as the target application to successfully launch sophisticated attacks to the user. It is possible to hack such a service before the target application is even installed.”
Promon said that Google has removed malicious applications from its Play Store, but, until now, the vulnerability appears not to be installed in all versions of Android. Promon calls the vulnerability “StrandHogg,” an Old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom. Neither Promon nor Lookout identified the names of the malicious applications. That isolation makes it difficult for people to know if they are or have been infected.
Google representatives did not respond to questions about when the flaw would disappear, how many Google Play apps were caught exploiting it, or how many end users were affected. Agents wrote only:
“We appreciate the work of the (‘) researchers and have stopped potentially harmful apps. Google Play Protect detects and blocks malicious apps, including those that use this policy. Additionally, we are continuing to conduct research in order to improve Google Play Protect’s ability to protect users against similar issues.”
StrandHogg represents the biggest threat to inexperienced users or those with knowledge or other types of weaknesses that make it difficult to pay close attention to the fraudulent behavior of apps. However, there are several things alert users can do to detect malicious applications that try to exploit the vulnerability. Suspicious signs include:
- An application or service that you are already signed in to is asking you to sign in.
- Permission popups that do not contain the app name.
- Permissions are requested from an application that should not be required or require the permissions requested. For example, a calculator app asking for GPS permission.
- Typos and errors in the user interface.
- Buttons and links in the user interface that do nothing when clicked on.
- The backup button does not work as expected.
Tip-off from a Czech bank
Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security firm for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts. The partner gave Promon a sample of the suspected malware. Promon eventually discovered that malware was exploiting the vulnerability. Promon partner Lookout later identified 36 apps using the vulnerability, including BankBot variants.
Monday’s filing did not say how many financial institutions were targeted in total.
The analyzed Promon malware is installed through various downloadable apps and downloads shared on Google Play. While Google has removed them, it is not uncommon for new malicious applications to make their way into Google’s service. Update: In an email sent after this post went live, a Lookout representative said that none of the 36 apps it found were available in Google Play.
Readers are reminded once again to be very suspicious of Android apps available both in and outside of Google Play. People should also pay attention to the permissions requested by any app.