NOT THE APP YOU'RE LOOKING FOR — "StrandHogg" spoofing flaw exploited by 36 apps, including bank trojans. Dan Goodin - Dec 2, 2019 9:10 pm UTC A vulne
NOT THE APP YOU’RE LOOKING FOR —
“StrandHogg” spoofing flaw exploited by 36 apps, including bank trojans.
– Dec 2, 2019 9: 10 pm UTC
A vulnerability in millions of fully patched Android phones is being actively exploited by malware that’s designed to drain the bank accounts of infected users, researchers said on Monday.
The vulnerability enables malicious apps to masquerade as legitimate apps that targets occupy already installed and attain to have faith, researchers from security company Promon reported in a put up. Running below the guise of relied on apps already installed, the malicious apps can then interrogate permissions to salvage sensitive initiatives, equivalent to recording audio or video, taking photos, reading textual protest messages or phishing login credentials. Targets who click walk to the interrogate are then compromised.
Researchers with Lookout, a mobile security provider and a Promon partner, reported final week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps integrated variants of the BankBot banking trojan. BankBot has been filled with life since 2017, and apps from the malware household had been caught repeatedly infiltrating the Google Play Market.
The vulnerability is most serious in variations 6 via 10, which (in accordance with Statista) story for about 80% of Android phones worldwide. Assaults against these variations allow malicious apps to interrogate for permissions while posing as legitimate apps. There is no limit to the permissions these malicious apps can peep. Access to textual protest messages, photos, the microphone, digital camera, and GPS are a couple of of the permissions that are seemingly. A user’s most productive defense is to click “no” to the requests.
An affinity for multitasking
The vulnerability is showcase in a feature is called TaskAffinity, a multitasking feature that lets in apps to retract the identification of different apps or initiatives working in the multitasking atmosphere. Malicious apps can exploit this efficiency by setting the TaskAffinity for loads of of its activities to match a kit name of a relied on third-celebration app. By both combining the spoofed exercise with a extra allowTaskReparenting exercise or launching the malicious exercise with an Intent.FLAG_ACTIVITY_NEW_TASK, the malicious apps will seemingly be placed interior and on high of the targeted activity.
“Thus the malicious exercise hijacks the target’s activity,” Promon researchers wrote. “The subsequent time the target app is launched from Launcher, the hijacked activity will seemingly be brought to the entrance and the malicious exercise will seemingly be viewed. The malicious app then most productive wants to appear fancy the target app to successfully launch subtle assaults against the user. It is seemingly to hijack this kind of role earlier than the target app has even been installed.”
Promon said Google has eliminated malicious apps from its Play Market, but, to this level, the vulnerability appears to be like to be unfixed in all variations of Android. Promon is asking the vulnerability “StrandHogg,” an susceptible
Google representatives didn’t acknowledge to questions about when the flaw will seemingly be patched, how many Google Play apps had been caught exploiting it, or how many stay users had been affected. The representatives wrote most productive:
“We fancy the researchers[‘] work, and occupy suspended the doubtlessly inferior apps they identified. Google Play Protect detects and blocks malicious apps, including ones the use of this strategy. Furthermore, we’re continuing to check in allege to pork up Google Play Protect’s ability to present protection to users against similar points.”
StrandHogg represents the finest menace to much less-experienced users or of us who occupy cognitive or other forms of impairments that create it no longer easy to pay shut attention to subtle behaviors of apps. Easy, there are loads of issues alert users can salvage to detect malicious apps that try to use the vulnerability. Suspicious signs encompass:
An app or provider that you are already logged into is requesting a login.
Permission popups that don’t possess an app name.
Permissions requested from an app that shouldn’t require or need the permissions it asks for. As an illustration, a calculator app requesting GPS permission.
Typos and mistakes in the user interface.
Buttons and links in the user interface that salvage nothing when clicked on.
Support button doesn’t work as anticipated.
Tip-off from a Czech bank
Promon researchers said they identified StrandHogg after finding out from an unnamed Jap European security firm for monetary institutions that loads of banks in the Czech Republic reported money disappearing from buyer accounts. The partner gave Promon a sample of suspected malware. Promon at final found that the malware used to be exploiting the vulnerability. Promon partner Lookout later identified the 36 apps exploiting the vulnerability, including BankBot variants.
Monday’s put up didn’t relate how many monetary institutions had been targeted in total.
The malware sample Promon analyzed used to be installed via loads of droppers apps and downloaders disbursed on Google Play. While Google has eliminated them, or no longer it’s no longer queer for unique malicious apps to create their methodology into the Google-operated provider. Replace: In an electronic mail sent after this put up went live, a Lookout consultant said none of the 36 apps it found used to be readily obtainable in Google Play.
Readers are any other time reminded to be extremely suspicious of Android apps readily obtainable both in and originate air of Google Play. Of us will occupy to also pay shut attention to permissions requested by any app.