Unpatched Android Flaw Exploited To Steal Banking Logins

A person using a smartphone

Unpatched ‘StrandHogg’ vulnerability found to be targeting at least 60 financial institutions, but could also be used to carry out range of other attacks

Researchers have warned of a security flaw in Android that is being actively exploited to steal online banking logins.

The “StrandHogg” flaw, which affects Android’s multitasking system, allows malicious apps to overlay fake login screens on legitimate apps, said Norwegian security firm Promon.

Google said it has removed malicious software from the Play Store, but the issue has not yet been fixed.  It affects all versions of Android, including version 10, released in September of this year.

Newer versions of Android, from version 6.0 onward, can also be exploited via StrandHogg to cause malicious permissions pop-ups to appear whilst a legitimate app is in use.

android, security
Promon

Permissions

By unknowingly granting permissions to the malicious apps, users can enable a broad range of attacks, including giving attackers access to data stored on their devices or their location data, or allowing them to send and intercept SMS messages or phone calls or eavesdrop via the phone’s microphone.

Promon chief technology officer Tom Hansen said in an advisory the bug was particularly dangerous because it affects all Android versions and because most apps are vulnerable by default.

“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” he said, adding that the potential impact could be “unprecedented”.

Promon said it found the bug whilst analysing malware that was stealing funds from users’ bank accounts.

The firm found evidence that at least 60 separate financial institutions were being targeted using the vulnerability.

android, security
Promon

Vulnerable apps

The company worked with US security firm Lookout, which found 36 malicious apps exploiting the flaw, including variants of the BankBot banking trojan.

Promon said all of the 500 most popular apps on Google Play were vulnerable to being exploited via StrandHogg.

Google said it has removed the malicious apps identified in Promon’s research  and is “continuing to investigate” to improve its ability to block such apps from becoming available on the Play Store in the first place.

Google faces a difficult task in patching the bug for its installed base of users, many of which rarely, if ever, update their phone’s operating system software.

The company said in May of this year that its mobile platform now has more than 2.5 billion users.