What’s StrandHogg and why has it got the cybersecurity arm of Indian Home Ministry concerned?
An under researched vulnerability has been found by cybercriminals. It’s named StrandHogg, and it may enable them to listen to microphone, steal login credentials, take photos using camera, read SMS and even access photos. First reported by Norway-based cybersecurity firm Promon and later confirmed by their spouse firm Lookout, early this month, the vulnerability has caught the eye of the cybersecurity wing of Ministry of Home Affairs.
While no reports, of a potential large scale breach have come out yet, Promon’s CTO Tom Lysemose Hansen points out, there is concrete proof that attackers are exploiting StrandHogg in order to steal confidential data. The potential effects of this could be unprecedented in terms of scale and the amount of damage since most programs are vulnerable by default.
The vulnerability was brought to Promon’s notice by another European security company after many banks in the Czech Republic had reported money disappearing from customer accounts. The organization had shared a sample of the malware. Lookout has identified 36 malicious programs including the notorious BankBot banking trojan that are exploiting the vulnerability.
So what is why it targets Android devices and StrandHogg?
At the core of the issue is a weakness in the multi-tasking system of Android OS. It basically exploits Android control settings called taskAffinity and taskReparenting to permit apps including malicious ones to freely assume identity of another task in the multitasking system. It enables the malicious activity to hijack the target’s task, so the next time user opens the target app, the hijacked tasks will open up rather than the original tasks. During this interception, the malicious program will find permission to access the device’s camera, mic, messages, GPS and storage. If the user grants these permissions, the malicious program gains access to these components.
Pennsylvania State University raised concerns about the design defects in which makes it vulnerable to task hijacking. In a detailed report on task hijacking, researchers in the University, explain that the operating system permits activities from various apps to co-reside in precisely the same task so users can organise sessions through tasks and switch between apps with ease.
Samir Mody, VP, Cyber Threat Labs, K7 Computing, explains,”an email program’s (program 1) message display (activity 1) displays a site address that when clicked by the user will open in a browser program’s (app 2) display (activity 2). Suppose a user launches a banking program and clicks on a login button, StrandHogg can be leveraged by a malware installed on the device to hijack such a task request to display, say, a bogus internet banking login page asking the user to insert username and password.”
The Promon report focuses without any remarks on multi-tasking in iOS on Android. Mody opines, iOS execution of activity switching is likely to be different, although we don’t have specific details on how iOS apps authenticate the action handling between programs.
How a exploits StrandHogg?
According to a Pennsylvania State University, the malware has to be set up to exploit this vulnerability. Promon found that the malicious programs did not come directly through Google Play Store. They were installed through dropper apps. Dropper programs either have or pretend to have the performance of popular programs so that it can skip Google Play Protect. After it is installed, the app installs additional apps which may be malicious. According to Promon, such apps continue to be published and are proven to have avoid detection. A case in point is the malicious CamScanner app, which had a malicious module and was downloaded over 100 million times.
Promon asserts the vulnerability affects all versions of Android 6 onwards into the recently released Android 10. Google on its role has eliminated the affected apps after it was reported to them, however, the vulnerability has still not been fixed.