The StrandHogg exploit isn't particularly new – security researchers have known about a proof-of-concept version since 2015. A working, and potentially dangerous, version of the exploit only recently appeared in the wild hidden inside malware that has been propagating across the internet for the past year. Promon created an informational page for the exploit after discovering how widespread and dangerous it could be.
The exploit interrupts the flow of an app from launch to welcome screen and forces a user to give a piece of malware powerful permissions before letting the legitimate app run.
"Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware. They found 36 malicious apps that exploit the flaw," said Lars Lunde Birkeland, Promon's Marketing & Communication Director.
"We tested the top 500 most popular apps and all of them are vulnerable," he said.
All versions of Android, including Android 10, are affected and even patched, seemingly secure phones are allegedly vulnerable according to Promon.
Hiding in plain sight
The exploit works by highjacking a legitimate app as it's launched on almost any Android phone. Instead of going to the welcome screen or login page, the exploit allows a piece of malware to display so-called permissions pop-ups, the kind that asks if the app can access your contacts, location, and stored data. When you approve the request, the malware is given all of the permissions instead of the legitimate app, which continues to run as if nothing happened.
"The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up. The victim gives the malware and the attacker the permissions and then you're redirected to the legit app," said Birkeland.
The researchers found that a Trojan program called BankBot used the exploit to give itself powerful permissions that could intercept SMS messages, log keypresses, forward calls, and even lock a phone until you pay a ransom, a concern for anyone running banking, financial, or wallet apps on their phone.
"It's a well-known banking Trojan and is seen in every country in the world," said Birkeland.
The exploit can also show a fake login page for some apps on some Android phones but the permissions exploit is far more common.
"The vulnerability is quite serious. You, as an attacker, are able to carry out quite powerful attacks," said Birkeland.
Promon discovered the malware when "several banks in the Czech Republic had reported money disappearing from customer accounts," wrote the researchers.
"From here, through its research, Promon was able to identify the malware was being used to exploit a dangerous Android vulnerability. Lookout, a partner of Promon, also confirmed that they have identified 36 malicious apps exploiting the vulnerability. Among them were variants of the BankBot banking trojan observed as early as 2017," they wrote.
"While Google has removed the affected apps, to the best of our knowledge, the vulnerability has not yet been fixed for any version of Android (incl. Android 10)," wrote the researchers.
Why is it called Strandhogg? That has to do with the company's Swedish roots.
"The vulnerability has been named by Promon as ‘StrandHogg’, old Norse for the Viking tactic of raiding coastal areas to plunder and hold people for ransom," wrote the researchers.
In a statement, a Google spokesperson said: “We appreciate the researchers' work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues."
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.