Actively Exploited StrandHogg Vulnerability Affects Android OS

Vulnerability in Android phones
A newly discovered Android vulnerability is actively exploited by malware such as the BankBot banking Trojan and it impacts all versions of the operating system up to and including Android 10. Many malicious mobile apps are exploiting in the wild to steal users’ banking and other login credentials and spy on their activities.


The new vulnerability discovered by Promon security researchers was named StrandHogg, the vulnerability resides in the multitasking feature of Android that can be exploited by a malicious app installed on a device to masquerade as any other app on it, including any privileged system app.

Once exploited, it allows malicious apps to camouflage as almost any legitimate app, with Promon finding that “all of the 500 most popular apps (as ranked by app intelligence company 42 Matters) are vulnerable to StrandHogg.”

Adding more to this vulnerability, StrandHogg is “unique because it enables sophisticated attacks without the need for a device to be rooted, uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device,” says Promon.

When a user taps the icon of a legitimate app, the malware exploiting the Strandhogg vulnerability can intercept and hijack this task to display a fake interface to the user instead of launching the legitimate application.

“This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire.”

Actively Exploited StrandHogg Vulnerability Affects Android OS

By tricking users into thinking they are using a legitimate app, the vulnerability makes it possible for malicious apps to conveniently steal users’ credentials using fake login screens.

“In this example, the attacker successfully misleads the system and launches the spoofing UI by abusing some task state transition conditions, i.e., taskAffinity and allowTaskReparenting.”

“When the victim inputs their login credentials within this interface, sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps.”

What’s more harmful?

Since the attackers can gain access to any Android permission, they can perform a wide range of data collecting actions allowing them to:

  • Listen to the user through the microphone
  • Take photos through the camera
  • Read and send SMS messages
  • Make and/or record phone conversations
  • Phish login credentials
  • Get access to all private photos and files on the device
  • Get location and GPS information
  • Get access to the contacts list
  • Access phone logs

While the list of malicious apps exploiting StrandHogg in the wild is not yet revealed, Promon’s researchers state that the malware sample they analyzed was distributed via malware droppers and downloaders that have since been removed from the Play Store by Google.

Though there is no effective and reliable way to block or detect task hijacking attacks, users can still spot such attacks by keeping an eye on discrepancies, like:

  • an app you’re already logged into is asking for a login,
  • permission popups that do not contain an app name,
  • permissions asked from an app that shouldn’t require or need the permissions it asks for,
  • buttons and links in the user interface do nothing when clicked on,
  • The back button does not work as expected.

More information on this vulnerability is available in the Promon StrandHogg report published today.