Cybersecurity researchers have discovered a new unpatched vulnerability in the Android operating system that dozens of malicious mobile apps are already exploiting in the wild to steal users’ banking and other login credentials and spy on their activities.
Dubbed Strandhogg, the vulnerability resides in the multitasking feature of Android that can be exploited by a malicious app installed on a device to masquerade as any other app on it, including any privileged system app.
In other words, when a user taps the icon of a legitimate app, the malware exploiting the Strandhogg vulnerability can intercept and hijack this task to display a fake interface to the user instead of launching the legitimate application.
By tricking users into thinking they are using a legitimate app, the vulnerability makes it possible for malicious apps to conveniently steal users’ credentials using fake login screens, as shown in the video demonstration.
“The vulnerability allows an attacker to masquerade as nearly any app in a highly believable manner,” the researchers said.
“In this example, the attacker successfully misleads the system and launches the spoofing UI by abusing some task state transition conditions, i.e., taskAffinity and allowTaskReparenting.”
“When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps.”
Besides phishing login credentials, a malicious app can also escalate its capabilities significantly by tricking users into granting sensitive device permissions while posing as a legitimate app.
“An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements.”
Discovered by researchers at Norwegian security firm Promon, Strandhogg task hijacking attacks are potentially dangerous because:
- it is almost impossible for targeted users to spot the attack,
- it can be used to hijack the task of any app installed on a device,
- it can be used to request any device permission fraudulently,
- it can be exploited without root access,
- it works on all versions of Android,
- it doesn’t need any special permissions on the device.
Promon spotted the vulnerability after analyzing a malicious banking Trojan app that hijacked bank accounts of several customers in the Czech Republic and stole their money.
According to the researchers, some of the identified malicious apps were also being distributed through several droppers and hostile downloader apps available on the Google Play Store.
Mobile security firm Lookout then also analysed the malicious sample and confirmed that they had identified at least 36 malicious apps in the wild that are exploiting the Strandhogg vulnerability.
“These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted,” researchers say.
Promon reported the Strandhogg vulnerability to the Google security team this summer and disclosed details today when the tech giant failed to patch the issue even after a 90-day disclosure timeline.
Though there is no effective and reliable way to block or detect task hijacking attacks, users can still spot such attacks by keeping an eye on discrepancies, like:
- an app you’re already logged into is asking for a login,
- permission popups that do not contain an app name,
- permissions asked from an app that shouldn’t require or need the permissions it asks for,
- buttons and links in the user interface do nothing when clicked on,
- The back button does not work as expected.
In more detail
We have seen malware utilizing the StrandHogg vulnerability as a main strategy, for the first time. The malware itself did not reside on Google Play but was installed through several Hostile Downloaders, i.e. malicious apps that are distributed on Google Play.
The exploits described above works when a malicious app sets the taskAffinity on one or more of its activities to match the packageName of any third-party app. Then, by either combining with allowTaskReparenting=”true” in manifest, or by launching the activity with intent-flag of Intent.FLAG_ACTIVITY_NEW_TASK the malicious activity will be placed within and on top of the target’s task.
Thus the malicious activity hijacks the target’s task. The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible.
The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed.
What is particularly egregious is that the attacker can gain significant control over the victim’s task. By combining with Intent#FLAG_ACTIVITY_NEW_TASK and Intent#FLAG_ACTIVITY_CLEAR_TASK, the attacker first clears out the target task, and then gets launched into it.
That activity can then finish the target task with android.app.Activity#finishAndRemoveTask, and launch a new task with the same affinity with Intent#FLAG_ACTIVITY_NEW_TASK and Intent#FLAG_ACTIVITY_MULTIPLE_TASK and thus create a new target task guaranteed to be under the attacker’s control. After that, the attacker can launch the victim’s actual launcher activity, and let the victim’s app run its course as usual.
Meanwhile, because the attacker still retains control over the victim’s task, it now has a lot more information about the state of the target. It may then intercept and inject a phishing activity deep in the flow of the target application, in a place that is much more natural to the user and flow of the target app.