Researchers from security firm Promon, found a vulnerability in millions of fully patched Android phones, that's being exploited by malware through malicious apps designed to drain the user's bank account. The vulnerability is exploited by 36 apps, including bank trojans. These apps masquerade as legitimate apps already installed by the user posing on it or inside it, say the researchers. As the user already trusts these apps, after installing these then ask for permissions like recording audio or video, taking photos, reading text messages or phishing login credentials.
Victims who click yes, fall prey to the scam. Lookout and Promon, researchers reported on Monday that they found 36 apps exploiting the spoofing vulnerability. This includes BankBot banking trojan, which's been active since 2017 and apps from this malware have been caught on Google Play repeatedly. And the only way the users can protect themselves is by clicking 'no' to the permissions. TaskAffinity is the function in Android where this vulnerability occurs that lets the app disguise as other app and work in the multitasking environment. Using this the malicious app is placed inside or top of the target. "Thus the malicious activity hijacks the target's task," Promon researchers wrote.
"The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible. The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed." Promon is calling the vulnerability, "StrandHogg," neither promon nor lookout has revealed the apps but Google has removed these apps from their market.
Still, the vulnerability remains a problem in Android. Google representatives said, "We appreciate the researchers['] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate to improve Google Play Protect's ability to protect users against similar issues."