Android
Vulnerability
Threat Summary
Crimeware
December 9, 2019

Strandhogg Vulnerability | Android OS Safeguards

An android device with a cracked screen

Earlier today, Promon, a Lookout partner, reported on Strandhogg, a vulnerability in the Android OS that allows for one app to display an Activity in the UI context of another app. This vulnerability can be exploited by attackers through screen overlays, such as in banking trojans, and permission harvesting. During their research phase, Promon reached out to Lookout to help find and identify apps that exploit Strandhogg. After looking through their dataset, Lookout identified 36 malicious apps exploiting the Strandhogg vulnerability, among them variants of the Bankbot banking trojan observed as early as 2017. 

A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions. While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android.

Protecting organizations from banking trojans

Screen overlay attacks on financial institutions have increased significantly in the past 18 months. In February 2018, Lookout researchers uncovered 7,700 samples of BancaMarStealer -- targeting over 60 financial institutions globally.Through their strategic partnership, Lookout and Promon jointly offer mobile app developers the ability to protect the integrity of their apps, impede attackers’ attempts to reverse-engineer code, repackage mobile apps, prevent hooking by malicious code at run time and a variety of screen overlay attacks. Armed with a dataset of over 70M apps, Lookout App Defense can identify various types of malware, including advanced overlay attack trojans, using predictive behavior and binary similarity analysis for apps on a user’s device. When malware is detected, various remediation actions take place based on the severity of the threat-- including blocking authentication, read-only or preventing access to sensitive customer data. 

Lookout customers are protected from Strandhogg. 

Authors

Lookout

Endpoint Security
Platform(s) Affected
Android
Threat Type
Vulnerability
Entry Type
Threat Summary
Threat Type
Crimeware
Platform(s) Affected
Android
Vulnerability
Threat Summary
Crimeware

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Lookout Discovers New Spyware by North Korean APT37

Lookout researchers have discovered a novel Android surveillance tool dubbed KoSpy. It is attributed to APT 37 aka ScarCruft.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell