The StrandHogg exploit isn't particularly new – security researchers have known about a proof-of-concept version since 2015. A working, and potentially dangerous, version of the exploit only recently appeared in the wild hidden inside malware that has been propagating across the internet for the past year. Promon created an informational page for the exploit after discovering how widespread and dangerous it could be.
The exploit interrupts the flow of an app from launch to welcome screen and forces a user to give a piece of malware powerful permissions before letting the legitimate app run.
"Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware. They found 36 malicious apps that exploit the flaw," said Lars Lunde Birkeland, Promon's Marketing & Communication Director.
"We tested the top 500 most popular apps and all of them are vulnerable," he said.
All versions of Android, including Android 10, are affected and even patched, seemingly secure phones are allegedly vulnerable according to Promon.
Hiding in plain sight
The exploit works by highjacking a legitimate app as it's launched on almost any Android phone. Instead of going to the welcome screen or login page, the exploit allows a piece of malware to display so-called permissions pop-ups, the kind that asks if the app can access your contacts, location, and stored data. When you approve the request, the malware is given all of the permissions instead of the legitimate app, which continues to run as if nothing happened.
"The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up. The victim gives the malware and the attacker the permissions and then you're redirected to the legit app," said Birkeland.
The researchers found that a Trojan program called BankBot used the exploit to give itself powerful permissions that could intercept SMS messages, log keypresses, forward calls, and even lock a phone until you pay a ransom, a concern for anyone running banking, financial, or wallet apps on their phone.
"It's a well-known banking Trojan and is seen in every country in the world," said Birkeland.
The exploit can also show a fake login page for some apps on some Android phones but the permissions exploit is far more common.
"The vulnerability is quite serious. You, as an attacker, are able to carry out quite powerful attacks," said Birkeland.
Promon discovered the malware when "several banks in the Czech Republic had reported money disappearing from customer accounts," wrote the researchers.
"From here, through its research, Promon was able to identify the malware was being used to exploit a dangerous Android vulnerability. Lookout, a partner of Promon, also confirmed that they have identified 36 malicious apps exploiting the vulnerability. Among them were variants of the BankBot banking trojan observed as early as 2017," they wrote.
"While Google has removed the affected apps, to the best of our knowledge, the vulnerability has not yet been fixed for any version of Android (incl. Android 10)," wrote the researchers.
Why is it called Strandhogg? That has to do with the company's Swedish roots.
"The vulnerability has been named by Promon as ‘StrandHogg’, old Norse for the Viking tactic of raiding coastal areas to plunder and hold people for ransom," wrote the researchers.
In a statement, a Google spokesperson said: “We appreciate the researchers' work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues."
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.