Earlier today, Promon, a Lookout partner, reported on Strandhogg, a vulnerability in the Android OS that allows for one app to display an Activity in the UI context of another app. This vulnerability can be exploited by attackers through screen overlays, such as in banking trojans, and permission harvesting. During their research phase, Promon reached out to Lookout to help find and identify apps that exploit Strandhogg. After looking through their dataset, Lookout identified 36 malicious apps exploiting the Strandhogg vulnerability, among them variants of the Bankbot banking trojan observed as early as 2017.
A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions. While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android.
Screen overlay attacks on financial institutions have increased significantly in the past 18 months. In February 2018, Lookout researchers uncovered 7,700 samples of BancaMarStealer -- targeting over 60 financial institutions globally.Through their strategic partnership, Lookout and Promon jointly offer mobile app developers the ability to protect the integrity of their apps, impede attackers’ attempts to reverse-engineer code, repackage mobile apps, prevent hooking by malicious code at run time and a variety of screen overlay attacks. Armed with a dataset of over 70M apps, Lookout App Defense can identify various types of malware, including advanced overlay attack trojans, using predictive behavior and binary similarity analysis for apps on a user’s device. When malware is detected, various remediation actions take place based on the severity of the threat-- including blocking authentication, read-only or preventing access to sensitive customer data.
Lookout customers are protected from Strandhogg.
September 19, 2023
Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.
September 18, 2023
September 20, 2023