Unpatched Android Flaw Exploited To Steal Banking Logins

Researchers have warned of a security flaw in Android that is being actively exploited to steal online banking logins.

The “StrandHogg” flaw, which affects Android’s multitasking system, allows malicious apps to overlay fake login screens on legitimate apps, said Norwegian security firm Promon.

Google said it has removed malicious software from the Play Store, but the issue has not yet been fixed.  It affects all versions of Android, including version 10, released in September of this year.

Newer versions of Android, from version 6.0 onward, can also be exploited via StrandHogg to cause malicious permissions pop-ups to appear whilst a legitimate app is in use.



By unknowingly granting permissions to the malicious apps, users can enable a broad range of attacks, including giving attackers access to data stored on their devices or their location data, or allowing them to send and intercept SMS messages or phone calls or eavesdrop via the phone’s microphone.

Promon chief technology officer Tom Hansen said in an advisory the bug was particularly dangerous because it affects all Android versions and because most apps are vulnerable by default.

“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” he said, adding that the potential impact could be “unprecedented”.

Promon said it found the bug whilst analysing malware that was stealing funds from users’ bank accounts.

The firm found evidence that at least 60 separate financial institutions were being targeted using the vulnerability.


Vulnerable apps

The company worked with US security firm Lookout, which found 36 malicious apps exploiting the flaw, including variants of the BankBot banking trojan.

Promon said all of the 500 most popular apps on Google Play were vulnerable to being exploited via StrandHogg.

Google said it has removed the malicious apps identified in Promon’s research  and is “continuing to investigate” to improve its ability to block such apps from becoming available on the Play Store in the first place.

Google faces a difficult task in patching the bug for its installed base of users, many of which rarely, if ever, update their phone’s operating system software.

The company said in May of this year that its mobile platform now has more than 2.5 billion users.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

18 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

19 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

20 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago