What is StrandHogg and why has it got Indian Home Ministry’s cybersecurity arm worried?

While no reports, of a possible large scale breach have come out yet, Promon’s CTO Tom Lysemose Hansen points out, there is tangible proof that attackers are exploiting StrandHogg in order to steal confidential information. The potential impact of this could be unprecedented in terms of scale and the amount of damage as most apps are vulnerable by default.

The vulnerability was brought to Promon’s notice by another European security company after several banks in the Czech Republic had reported money disappearing from customer accounts. The company had shared a sample of the malware with Promon. Lookout has already identified 36 malicious apps including the notorious BankBot banking trojan that are exploiting the vulnerability.

So what is StrandHogg and why it targets Android devices?

At the heart of the issue is a weakness in the multi-tasking system of Android OS. It basically exploits Android control settings called taskAffinity and taskReparenting to allow apps including malicious ones to freely assume identity of another task in the multitasking system. It allows the malicious activity to hijack the target’s task, so the next time user opens the target app, the hijacked tasks will open up instead of the original tasks. During this interception, the malicious app will seek permission to access the device’s camera, microphone, messages, GPS and storage. If the user grants these permissions, the malicious app gains access to these components.

Pennsylvania State University, has in the past, raised concerns about the design flaws in Android multi-tasking which makes it vulnerable to task hijacking. In a detailed report on task hijacking, researchers at the University, explain that that the operating system allows activities from different apps to co-reside in the same task so users can organise sessions through tasks and switch between apps with ease.

Samir Mody, VP, Cyber Threat Labs, K7 Computing, explains, "an email app's (app 1) message screen (activity 1) displays a website address which when clicked by the user would open in a browser app's (app 2) screen (activity 2). Suppose a user launches a banking app and clicks on a login button, StrandHogg can be leveraged by a malware already installed on the device to hijack such a task request to display, say, a fake internet banking login page asking the user to insert username and password."

The Promon report focuses entirely on Android with no comments on multi-tasking in iOS. Mody opines, iOS implementation of activity switching is likely to be different, although we don't have specific details on how iOS apps authenticate the activity handling between apps.

How a malware exploits StrandHogg?

According to a Pennsylvania State University, the malware needs to be installed on the Android device to exploit this vulnerability. Promon found that the malicious apps exploiting the vulnerability did not come directly through Google Play Store. Instead they were installed through dropper apps distributed on Google Play. Dropper apps either have or pretend to have the functionality of popular apps so it can bypass Google Play Protect. After it is installed, the app installs additional apps which may be malicious. According to Promon, such apps continue to be published and are known to have avoid detection by Google. A case in point is the malicious CamScanner app, which had a malicious module and was downloaded more than 100 million times.

Promon claims the vulnerability affects all versions of Android from version 6 onwards to the recently released Android 10. Google on its part has removed the affected apps after it was reported to them, but the vulnerability has still not been fixed.