StrandHogg has already been used for accessing banking data. The exploit has been documented by security company Promon and seems to affect all Android versions. Since researchers in the security field have been knowing about the StrandHogg proof-of-concept model ever since 2015, the exploit isn’t at all new.
The Dangerous StrandHogg Version Has Been on the Internet for a While
The potentially dangerous StrandHogg version has been propagating all over the internet in the past year, hidden in malware. Promon even made a page with information on it after learning how fast it spreads and how dangerous it can be. What it seems to do is interrupting the way an app flows from the moment of the launch to the one of the welcoming screen appearing. It forces the Android user to give the malware permission before letting the app run. This is what the Marketing and Communication Director at Promon, Lars Lunde Birkeland had to say about it:
“Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware. They found 36 malicious apps that exploit the flaw. We tested the top 500 most popular apps and all of them are vulnerable.”
More than this, all Android versions, including Android 10, can be affected according to Promon.
Launched on almost any kind of phone with Android, the StrandHogg exploits and hijacks apps and sends the pop-ups that ask to have access to contacts, stored data, and location. After permission is given, the app starts running normally. Birkeland explained how it works:
“The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up. The victim gives the malware and the attacker the permissions and then you're redirected to the legit app.”
Researchers have discovered that the Trojan program BankBot in fact used the exploit to ask for permission for intercepting messages, make calls and even lock the phone until a ransom is paid. This has raised many concerns among those who are banking with their phone or are using wallet apps. More than this, the exploit can also present a fake page for logging in with some apps on Android, yet the permissions exploit is the one more widespread.
The Vulnerability is Very Serious
Promon came across the malware when many banks from the Czech Republic started to report that their customers are having money taken from their accounts. This is what the company wrote:
“From here, through its research, Promon was able to identify the malware was being used to exploit a dangerous Android vulnerability. Lookout, a partner of Promon, also confirmed that they have identified 36 malicious apps exploiting the vulnerability. Among them were variants of the BankBot banking trojan observed as early as 2017. While Google has removed the affected apps, to the best of our knowledge, the vulnerability has not yet been fixed for any version of Android (incl. Android 10),” wrote the researchers.”
The name StrandHodd comes from an old tactic used by the Vikings to raid the coast and to kidnap people for ransom.