CYBER CRIMS can craft apps to steal bank login details thanks to a major security weakness in Android discovered by security firm Promon.
The vulnerability is called StrandHogg, which sounds a bit like a posh school in Scottland, but is, in fact, a flaw the allows hackers to create a fake login page pretending to be for a legitimate app.
While the victim of StrandHogg is then directed to the legitimate app once they put in their login details, anther strand to the fake page sends the captured data to the attacker, and thus compromises the victim's data.
"StrandHogg, unique because it enables sophisticated attacks without the need for a device to be rooted, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device," Promon's researchers explained.
"This exploit is based on an Android control setting called ‘taskAffinity' which allows any app - including malicious ones - to freely assume any identity in the multitasking system they desire."
The security smart folks crafted a proof-of-concept attack that managed to compromise the top 500 most popular apps as ranked by intelligence company 42 Matters. So yeah, the flaw is kinda big.
Promon said the research built upon that carried out by Penn State University in 2015, which found aspects of the flaw and disclosed it to Google, but the search giant dismissed the vulnerability's severity.
"The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play," the researchers added.
"These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted."
Google is apparently looking into the issue and how it can defend against such attacks. But the whole thing does raise the issue of how the more complex and capable mobile operating systems become, the more nasty stuff that seems to creep under the radar. µ
Not all it's Mac'd up to be
X marks the smart home
The lens said the better