Millions of fully-patched Android smartphones are exposed to malware that is designed to steal money from users’ bank accounts.
Researchers from security firm Promon found that many malicious apps are using the “StrandHogg” vulnerability to disguise themselves as legitimate apps already installed on users’ devices.
“The vulnerability makes it possible for a malicious app to ask for permissions while pretending to be the legitimate app. An attacker can ask for access to any permission, including SMS, photos, microphone, and GPS, allowing them to read messages, view photos, eavesdrop, and track the victim’s movements,” said Promon.
“When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps.”
According to Promon, StrandHogg uses a weakness in the multitasking system of Android to enable these attacks.
“This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire.”
Promon said that all of the top 500 most popular apps on the Android Play Store are at risk, and all versions of Android are affected.
The investigation into StrandHogg expands upon research carried out by Penn State University in 2015, which Google dismissed at the time.