Unpatched Android vulnerability StrandHogg exploited

[German]Bad news for Android users who installs a lot of apps on their devices. There is an unpatched Android vulnerability called StrandHogg. This vulnerability is already being exploited by malicious apps.

I already became aware of this vulnerability yesterday via the following tweet. A report can also be found on The Hacker News.

Android: New StrandHogg vulnerability is being exploited in the wild

> Promon has identified a new Android OS vulnerability
> Lookout confirmed that 36 apps have used it in the wild
> StrandHogg affects all Android OS versionshttps://t.co/SVqzGNctAR pic.twitter.com/m72ddNzkoZ

— Catalin Cimpanu (@campuscodi) December 2, 2019

StrandHogg uses a vulnerability in the Android multitasking mechanism to bypass permissions. A malicious app can camouflage itself and request permissions of which the user has no idea. The vulnerability called StrandHogg was discovered by security researchers from promon, who describe the vulnerability here. The vulnerability is strange:

• All versions of Android, including Android 10, are affected, there is no patch.
• Basically, all 500 of the most popular Android apps are vulnerable.
• There is already malware that exploits the vulnerability.
• 36 malicious apps that exploit the vulnerability have been identified.

The vulnerability can be exploited without root access. The Permission Harvesting Exploit is only possible from Android 6.0 (but up to Android 10). If a malicious app is installed on the Android device, it can be exploited via StrandHogg:

• Listen to the user via the microphone
• Capturing photos through the camera
• Reading and sending SMS messages
• Making and/or recording telephone calls
• Access logon information
• Access all private photos and files on the device
• Get location and GPS information
• Get access to the contact list
• Gain access to phone logs

So it's the worst case, because the vulnerability allows malicious code to bypass all permissions for apps that are set in Android.

Lookout, a Promon partner, confirmed that they had identified 36 malicious applications that were already exploiting the vulnerability. These included variants of the BankBot-Bank Trojan observed in 2017. During the test, Promon researchers found out that all 500 most popular apps (42 Matters in the App Intelligence Company ranking) are susceptible to StrandHogg.

The only good news is that the user must install the app with the malicious code himself so that StrandHogg can exploit it. So if you only get a few apps from a trusted source in the Google Play Store, you should be reasonably sure. .

However, it can be assumed that dropper apps will soon appear in the Play Store. These then download the malicious code to take advantage of StrandHogg. And malware that is already delivered on Android devices by the manufacturer via pre-installed apps could use StrandHogg. The following tweet refers to an article that deals with downloaders.

Check out this article: The Role of Evil Downloaders in the Android Mobile Malware Kill Chain https://t.co/SrXMymbM1h

— Aryeh Goretsky (@goretsky) December 2, 2019