Android flaw lets hackers use fake login pages to swallow banking data

Ruben Fields
December 5, 2019

However, users are still able to install other malicious applications from the Play Store and get these programs as secondary payloads for more intrusive StrandHogg attacks. "An attacker can ask for access to any permission, including SMS, photos, microphone, and Global Positioning System, allowing them to read messages, view photos, eavesdrop, and track the victim's movements", said Promon.

The company worked with U.S. security firm Lookout, which found 36 malicious apps exploiting the flaw, including variants of the BankBot banking trojan. Researchers of Promon Security have found that the vulnerability is capable of infecting most of the Android versions including the latest version Android 10. This is an OS-level that, sadly, hasn't been fixed by Google in any version of Android to date and all Android devices are exposed to this security flaw and malicious intent. That omission makes it exhausting for folks to know if they're or have been contaminated. Users who had another malicious app on their devices found the StrandHogg-infected apps onboard as well.

Hackers can exploit the vulnerability without root access, according to researchers.

This vulnerability is "based on an Android control setting called taskAffinity, which allows any app, including the malicious ones, to freely assume any identity in the multitasking system they desire".

Google representatives did not reply to questions on when the flaw will likely be patched, what number of Google Play apps have been caught exploiting it, or what number of finish customers have been affected.

In a statement, Google said: "We appreciate the work of the investigators, and has suspended the application of potentially risky they are identified". "Additionally, we're continuing to investigate in order to improve Google Play Protect's ability to protect users against similar issues".

Zinedine Zidane stubborn on including Manchester United star in Real Madrid squad
As for United, these are proving challenging times for manager Ole Gunnar Solskjaer. I analyse them as an opponent, how they play.

- An app or service that you're already logged into is asking for a login.

Permission popups that do not contain an app name.

- Permissions asked from an app that shouldn't require or need the permissions it asks for. So, when the user clicks a trusted app's icon on the screen, a malicious version instead starts.

Again button doesn't work as anticipated.

Promon's chief technology officer welcomed Google's response, as he said many other applications that could potentially be exploited through spoofing bug. Promon accomplice Lookout later recognized the 36 apps exploiting the vulnerability, together with BankBot variants. "These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted", researchers say.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER