StrandHogg Android Vulnerability Allows Malware to Hijack Legitimate Apps

Researchers discovered a vulnerability in Android devices that allows malware to hijack legitimate apps. Using this vulnerability (StrandHogg), cybercriminals could trick users into granting permissions to their malicious apps and provide openings for phishing pages. An exploit of this vulnerability has already been seen in the wild.

Researchers from Promon came across StrandHogg by tracking a malware that has been exploiting the vulnerability. The malware itself was not found on Google Play, but can be installed by several dropper apps that have been downloaded several times.

In cooperation with Lookout, Promon identified 36 malicious apps exploiting the vulnerability in the wild during the time of their investigation. They did not name these apps, but did note that none were available for download on Google Play Store. Instead, these apps are dropped by other malicious apps.

Explaining the StrandHogg exploit

StrandHogg exists in how Android devices handle multiple tasks, specifically in the feature called task reparenting. This feature has to do with how an Android device’s activity can move from the task that started it to a task that it has an affinity for. For example, task reparenting is at work when a user clicks on a link on a messenger app that opens a browser still connected to the original app that started it.

A malicious app could exploit this feature by replacing one of the target tasks an app has an affinity for with its own task. It clears out the target task and replaces it with a new task that is under the cybercriminal’s control. Thus, the hijacked task would be displayed on the screen when the user launches the affected (legitimate) app.

This hijacked task could be anything, such as tasks that ask users for various permissions (eg. access to photos and files, contact list, etc.) that a user could unknowingly grant for the malicious app. Using this vulnerability, a cybercriminal could also lace a phishing scheme deep into the natural flow of a legitimate app.

Promon already found an exploit for this vulnerability in the wild. Although no known patch has been released, Google has responded to the report by removing the identified harmful apps and conducting further investigation.

More on mobile vulnerabilities

This case demonstrates how vulnerabilities in devices could allow openings for malware and app hijacking, but mobile users and other stakeholders also contend with vulnerabilities that exist in known legitimate apps themselves.

For example, Trend Micro recently reported on the way a known vulnerability (CVE-2019-11932) could also allow the execution of malicious code through specially crafted GIF files. CVE-2019-11932 was first discovered and already patched for WhatsApp, but further investigation revealed that it can also be found on more than 3,000 applications on Google Play, with similar apps found in third-party app stores.

Vulnerabilities like these expose users to significant risk, because not only do they have to contend with malicious apps themselves, they also need to practice caution with trusted legitimate applications. Users should also be careful when browsing through third-party app stores where they could have a higher chance of downloading malicious apps because of a less stringent approval process.

Applying patches and updates that address vulnerabilities as soon as they become available is the best viable defense against possible exploits, which should be practiced not only by users but by software and app developers as well.

Trend Micro Solutions

Android users can also take advantage of Trend Micro™ Mobile Security for Android™. End users can benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguards them from ransomware, fraudulent websites, and identity theft.

For organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.