In AppSealing News, AppSealing Blog

Researchers in Norway have discovered an Android vulnerability that, they say, can be exploited to use any app to steal data or credentials. Named StrandHogg Vulnerability – a word derived from the old Norse language after the ancient Viking tactic of coastal raiding with the intent to capture livestock or indigenous people who could be used as slaves or for ransom – it was first detected in December 2019 by an east European security company working in the financial sector. The company noticed that money was disappearing from the bank accounts of several customers of different banks in the Czech Republic.

Researchers say that the StrandHogg vulnerability allows attackers to launch sophisticated malware attacks without the need for the Android device to be rooted. They say attackers exploit the operating system’s control setting called “taskAffinity” to launch the attacks. “taskAffinity” allows an app to assume any identity within the operating system. Researchers have pointed out that the vulnerability stems from Android’s multitasking features, which can allow a wide range of task-hijacking attacks. This gives attackers the ability to spoof the UI and make the spoofed entity look like the real UI without the user getting to know about it.

Researchers have said that all top 500 apps are at risk due to the vulnerability, which means that all apps in the Android ecosystem are vulnerable. What makes the StrandHogg vulnerability unique is that it does not require the device to be rooted to perform sophisticated attacks, as it does not need any special permission compared to a normal app. The vulnerability can be exploited by the attacker very easily because it allows them to masquerade their app as any other app trusted by the user.

This Android vulnerability that is being exploited in the wild as a malicious app could steal the banking and login credentials of the device user. According to Android security researchers, when a user opens an app on their device, the malware could display a fake UI over the actual app. This can trick users into thinking that they are using a legitimate application. Therefore, when a user types their username and password to log into an app, the malware could potentially steal that data, and the attacker could receive that data instantly from the device, allowing them to gain access to sensitive apps, like a banking app.  

Such an attack could also allow a malicious app to perform a “privilege escalation” by tricking users into granting permission they usually do not allow, like permissions to read text messages, view location data, listen to phone calls, or even access the device camera.

Government Scare

The StrandHogg Trojan has made governments take notice as well. In sheer numbers, India is the second country with the highest number of smartphone users after China, albeit low in overall penetration vis-à-vis the population. On December 16, 2019, the Indian home ministry sent an alert to all provincial governments warning them about the vulnerability the Android operating system faced from StrandHogg that allows real-time malware applications to pose as genuine applications and access user data of all kinds. The information was shared by the Threat Analytical Unit of the Indian Cyber Crime Coordination Centre in the home ministry. “At least 500 popular apps are at risk because of this malware that hackers can deploy to attack mobile phone users. An alert has been sent to all senior police officials to sensitize them to the threat. Steps will be taken to create awareness among the public on the vulnerability of Android to ‘StrandHogg’,” a police official said.

In the United States, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the state’s unit for cybersecurity information sharing, threat analysis, and incident reporting and a component organization within the New Jersey Office of Homeland Security and Preparedness (NJOHSP) also issued an advisory to its users to refrain from downloading suspicious apps on Google Play or third-party app stores. They asked users to be on the lookout for behaviour that may indicate a device is infected, such as an app where a user is already logged in requesting a fresh login, permission pop-ups that do not contain an app name, apps requesting extensive permissions, typographical errors in the app user interface, or faulty buttons and links within the app.

How StrandHogg Vulnerability Works

According to researchers, StrandHogg is a flaw that happens during multitasking, specifically when a user is switching between tasks or processes for different applications or operations. The Android operating system uses a technique known as “task re-parenting,” which diverts the processor’s processing power toward the app that is currently being used on the screen. StrandHogg uses “task re-parenting” whenever the user taps on a genuine app, but the malicious code in the app is fired up at the same time. The researchers say that they have already seen that in use, and it is unlikely that the user would spot the app.

They say that this vulnerability did not require root access of the device and worked on all the versions of the Android operating system without any additional permissions than the ones needed by genuine apps. 

What also befuddled researchers was the fact that the malware had managed to regularly slip under the radar on Google Play, leading to the spread of malicious code that exploits the flaw. While the specific malware sample that researchers analyzed did not reside on the app store, it was installed through several dropper apps/hostile downloaders distributed on Google Play.

According to researchers, the malicious apps were being distributed through the Google Play store via downloader apps or “droppers” as second-stage payloads – which means that a user accidentally installs a malicious app, which then downloads the attack app with the user’s knowledge or permission to carry out the attack. A dropper is an app that pretends to have the same functionality as that of a popular app, like a game, utility, or even photo-editing app, but in reality, it installs additional applications that can execute malicious tasks in the background. A legitimate-looking dropper could, then, install malware that takes advantage of the StrandHogg vulnerability. 

The researchers discovered 36 malicious applications using the StrandHogg vulnerability that were being distributed on the Google Play store. After the researchers alerted Google about these apps, they were removed from the app store. However, until early December 2019, Google had not developed a patch for the vulnerability, even after being alerted for over three months.

The researchers say that they have real evidence of attackers using this vulnerability and causing serious damage, especially to a mobile banking user in one case. It is obvious that after stealing the user’s banking credentials, hackers can also access any code sent via SMS for a two-factor authentication method to the device, thus bypassing all security features of the targeted banking app.

Impact on iOS Devices and Crypto Apps

While Android security looks compromised now, iOS is also not far behind. Earlier this year, Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day. TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

More troubling is the fact that StrandHogg vulnerability is far from being the only software of its type. Several smartphone apps designed to steal money, including cryptocurrency, have been discovered over the past several months, as have been malware programs designed to infect personal computers. As blockchain assets become more valuable, more are certain to follow. Fortunately, there have been no reported incidents of cryptocurrency losses as a result of StrandHogg, but given the decentralized nature of the technology, it is quite possible that thefts are either unknown or misinterpreted.

Detecting StrandHogg Attacks

Researchers have said it is practically impossible to detect the attack by a regular user, as there is no effective method to identify or block it. However, they said that a device user being targeted could notice several discrepancies, for example, an app asking them to log in when they have already done so. The researchers said that users should be aware of unusual requests made by apps that do not really need it: for example, a calculator app asking for GPS permission. Apart from this, if the user notices buttons on the app that do not work or a back button that shows unexpected behavior, they should get suspicious. In addition, typographical errors and mistakes in spellings should also raise suspicion.

Pennsylvania State University has, in the past, raised concerns about the design flaws in the Android multitasking feature, which makes it vulnerable to task hijacking. In a detailed report on task hijacking, researchers at the university explained that the operating system allows activities from different apps to co-reside in the same task, so users can organize sessions through tasks and switch between apps with ease.

The researchers say that Android users download apps only from known developers. They also suggest that the user should close apps after use and not just shift to the home screen. This is an effective way to stop the StrandHogg attack, though it is not foolproof. For the more advanced users, especially business users, the researchers advise that they should a USB drive to run the adb shell dumpsys activity, which outputs a list of all current tasks and their associated apps. This allows the advanced user to detect malicious activities if any.

The researchers say that app developers can retrieve some basic task information via Android SDK. However, it is not certain if the developers can do so if the tasks are not running in the foreground. Therefore, there is a fair chance that the app could be highjacked without it even been running. Since Android has no service to notify the developer if a task is hijacked, the developer would need access to a monitoring service running in the background to know about it. Also, since the attacker uses the operating system’s vulnerability, and not the app itself, to attack, even if the developer is monitoring their app, they may not be able to block this type of attack as no changes or repackaging/signature checks might have happened in the app.

The researchers have pointed out that the developer of a genuine app can set the task affinity of all activities to “” or an empty string in the application tag of AndroidManifest.xml to indicate the activities of the benign app do not have an affinity to any task. However, this can reduce the risk only to an extent.

If a user thinks that they are stuck with an app that has been exploited through StrandHogg, they can always factory-reset their device. Setting it up as a brand-new device, rather than restoring from a backup, is considered a good solution, though it causes loss to users who are not careful in backing up their data. 

One of the ways of dealing with a security threat like StrandHogg is to use a mobile application security layer, such as AppSealing, to protect Android devices. Security software like this offers protection against task-hijacking attacks and provides protection during the runtime of applications.

Conclusion

Over the past few years, screen overlay attacks on banking apps have increased significantly. The ubiquitous technique used by these Trojans is to manipulate users to share their banking app passwords and other identification information to a fake screen for logging in overlaid on the actual banking app. It is the same in the case of StrandHogg vulnerability. Needless to say that StrandHogg represents a very real challenge for Android banking users as well as crypto users, as it gives hackers access to the wallet and key information.

Govindraj Basatwar - Global Business Head
Govindraj Basatwar - Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.

Leave a Comment