"This exploit is based on an Android control setting called "taskAffinity" which allows any app - including malicious ones - to freely assume any identity in the multitasking system they desire". BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market.
While the complete impact of the bug and malicious apps exploiting it remains unclear, Google has now patched the vulnerability.
Promon said that all of the top 500 most popular apps on the Android Play Store are at risk, and all versions of Android are affected. "It is possible to hijack such a task before the target app has even been installed".
"StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted".
The Promon researchers further pointed out that they have disclosed their findings to Google last Summer. Instead, the malicious apps were installed on devices as second-stage downloads. Nonetheless, there are a number of issues alert customers can do to detect malicious apps that try to use the vulnerability.
"If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless", said Serge Egelman, director of usable security and privacy research at UC Berkeley's International Computer Science Institute, which produced the research.
- Permission popups that don't contain an app name. There's also no way to block the attack at this instant, but you keep a close watch over what permissions an app asks.
Typos and mistakes in the user interface.
Promon researchers mentioned they recognized StrandHogg after studying from an unnamed Japanese European safety firm for monetary establishments that a number of banks within the Czech Republic reported cash disappearing from buyer accounts.
Again button doesn't work as anticipated. "Promon's partner gave Promon a sample of the suspected malware to investigate", Promon researchers explained.
According to Techradar, Google is aware of the vulnerability, having suspended applications that were identified as malicious.
Researchers from Lookout, a mobile security provider, also confirmed the security flaw and identified 36 malicious apps exploiting the flaw, including BankBot variants. "These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted", researchers say. Update: In an email sent after this post went live, a Lookout representative said none of the 36 apps it found was available in Google Play. Individuals must also pay shut consideration to permissions requested by any app.