Security company Promon has discovered a critical vulnerability affecting all Android versions, including Android 10, which can allow an attacker to obtain full access to a compromised device.
With fake permission prompts in legit apps, users can also be tricked into giving access to location, messages, which contain OTPs or two-factor codes, as well as allowing recording calls or tracking the real-time activity, including photos/videos, on the device.
Mobile security company Lookout has identified 36 malicious apps exploiting the StrandHogg vulnerability, and among them were variants of the BankBot banking trojan.
All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.
In other words, when a user taps the icon of a legitimate app, the malware exploiting the Strandhogg vulnerability can intercept and hijack this task to display a fake interface to the user instead of launching the legitimate application.
They found that 60 separate financial institutions were being targeted via apps that sought to exploit the loophole.More news: Auburn great Pat Sullivan dies
More news: Alphabet CEO Larry Page resigns as Google chief Sundar Pichai takes over
More news: Post Malone is Spotify's most streamed artist of 2019
"When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps". "These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted", researchers say.
"StrandHogg (...) uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device".
The researchers further note that sophisticated attacks by way of StrandHogg do not require the device to be rooted.
"The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play", the researchers added.
"Promon researchers say that it's hard for app makers to detect if attackers are exploiting StrandHogg against their own app (s), but that the risk can be partly mitigated by setting the task affinity of all activities to "(empty string) in the application tag of AndroidManifest.xml.
Google has responded to news of the vulnerability by saying: "We appreciate the researchers' work, and have suspended the potentially harmful apps they identified".