When you click an app on an Android smartphone, you expect the next window to pop up to be entirely legit. But a new vulnerability in the operating system can actually let a hacker hijack the process, and place a malicious window over your phone instead.
The vulnerability is handy for hackers who design Android malware and try to spread their creations on app stores, according to the security firm Promon, which disclosed the flaw on Tuesday.
“By exploiting this vulnerability, a malicious app installed on a device can attack and trick the user so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen,” the company said.
The malicious windows could include a fake login screen asking for your password. Victims who view the pop-up will assume the window to be legit. But in reality the login screen is secretly designed to ferry off your password credentials to the hacker.
The vulnerability also enables a piece of malware to display fake permission windows that pretend to come from legitimate apps. The permissions could be used to ask for access to the phone’s camera, microphone, SMS messages or the GPS location, paving the way for partial device takeover.
What makes the vulnerability particularly problematic is how it doesn’t require root access or extra privileges to run on an Android device. The hacker needs to only trick the victim into downloading and installing the malware to start hijacking the legitimate app processes over the phone.
Promon has dubbed the flaw StrandHogg 2.0 over its similarities to an earlier vulnerability in Android that can also inject fake permission pop-up windows in the OS. StrandHogg 2.0 is upgraded form of attack since it can hijack multiple apps on an Android device at any given time. The older attack, on the other hand, can only target apps one at a time.
The good news is that Android 10, the latest version of the operating system, is immune to the flaw. However, the vulnerability still affects Android 9 and below, or what over 90 percent of the Android user base is currently running on.
In response, Google earlier this month issued a security patch for Android 8, 8.1 and 9 that smartphone vendors can roll out to their devices. “We appreciate the work of the researchers, and have released a fix for the issue they identified,” a Google spokesperson told PCMag. “Additionally, Google Play Protect detects and blocks malicious apps, including ones using this technique.”
So far, Promon has uncovered no evidence that hackers have been abusing the Strandhogg 2.0 flaw. But the security firm predicts cybercriminals will eventually incorporate the vulnerability into their attacks.
To stay safe, it’s a good idea to only download apps from the Google Play Store, which tries to screen products for potential threats. You can also consider installing an antivirus program. That all said, Promon is concerned StrandHogg 2.0 attack will be harder for both Google and antivirus software to detect because the vulnerability can be activated without much discernible computer code.
“As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams,” Promon added.