Published: Wed, December 04, 2019
Electronics | By Kelly Massey

A serious Android bug could be exploited to steal your banking credentials

A serious Android bug could be exploited to steal your banking credentials

Cybersecurity researchers have discovered a new unpatched vulnerability in the Android operating system that dozens of malicious mobile apps are already exploiting in the wild to steal users' banking and other login credentials and spy on their activities.

Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect's ability to protect users against similar issues.

By tricking users into thinking they are using a legitimate app, the vulnerability makes it possible for malicious apps to conveniently steal users' credentials using fake login screens, as shown in the video demonstration. "Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using", the Norwegian security company explains.

They found that 60 separate financial institutions were being targeted via apps that sought to exploit the loophole.

Dubbed Strandhogg, the vulnerability resides in the multitasking feature of Android that can be exploited by a malicious app installed on a device to masquerade as any other app on it, including any privileged system app.

This vulnerability is "based on an Android control setting called taskAffinity, which allows any app, including the malicious ones, to freely assume any identity in the multitasking system they desire".

Vikings still in thick of playoff hunt despite loss to Seahawks
Rookie Alexander Mattison replaced him and finished with four catches for 51 receiving yards and four carries for 22 yards. If there ever was a game that encapsulated the experience of being a Vikings fan, it was Monday Night's game in Seattle.


While the victim of StrandHogg is then directed to the legitimate app once they put in their login details, anther strand to the fake page sends the captured data to the attacker, and thus compromises the victim's data.

According to the researchers, some of the identified malicious apps were also being distributed through several droppers and hostile downloader apps available on the Google Play Store. Google, however, removed the affected apps that could help drop StrandHogg on an Android device.

What's worse is that Promon claims the vulnerability can be exploited without root access, and researchers from Lookout say they have already identified a total of 36 malicious apps whose goal is to take advantage of StrandHogg.

"StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted". Google's been good at rooting them out and removing them, but it is an ongoing battle, the researchers say.

In a statement, Google said: "We appreciate the researchers' work, and have suspended the potentially harmful apps they identified".

Like this: