Published: Thu, December 05, 2019
Electronics | By Kelly Massey

StrandHogg Android Vulnerability Can Grab Wallet and Banking Information

StrandHogg Android Vulnerability Can Grab Wallet and Banking Information

Dubbed StrandHogg, the vulnerability allows malicious apps to hijack genuine apps and perform malicious operations on their behalf. StrandHogg opens the door for attackers to listen to a user through a microphone, take photos using the device's camera, read and send SMS text messages, make or record phone conversations, phish login credentials, obtain access to all files and logs on a device and finally access location and Global Positioning System information. Mobile security firm Lookout then also analysed the malicious sample and confirmed that they had identified at least 36 malicious apps in the wild that are exploiting the Strandhogg vulnerability.

The security smart folks crafted a proof-of-concept attack that managed to compromise the top 500 most popular apps as ranked by intelligence company 42 Matters. However, while Google did remove the affected apps, it does not appear as if the vulnerability has been fixed for any version of Android.

StrandHogg is a bug in the OS component that handles multitasking - the mechanism that allows the Android operating system to run multiple processes at once and switch between them once an app goes in or out of the users' view (screen).

"StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted".

"Promon researchers say that it's hard for app makers to detect if attackers are exploiting StrandHogg against their own app (s), but that the risk can be partly mitigated by setting the task affinity of all activities to "(empty string) in the application tag of AndroidManifest.xml.

"We respect the researchers ['] work, and have suspended the possibly unsafe apps they recognized".

The company issued a statement saying that it had closed the loophole and have suspended the potentially harmful apps using it from the Play Store.

Ugly fight breaks out during Georgia-Georgia Tech game
Fromm insists Georgia's offense will be ready for Saturday's Southeastern Conference championship game against top-ranked LSU. Star running back D'Andre Swift fumbled twice, the second of which left him crumpled on the turf holding his left shoulder.


An app or service that you simply're already logged into is asking for a login.

One of the apps mentioned by name was Shutterfly, which is used for editing photos.

"The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up".

Typos and mistakes in the user interface.

- Back button does not work as expected. Promon finally discovered that the malware was exploiting the vulnerability. "These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted", researchers say.

Readers are once again reminded to be highly suspicious of Android apps available both in and outside of Google Play.

Like this: