December 9, 2019

Strandhogg Vulnerability | Android OS Safeguards

Platform(s) Affected
Android
Threat Type
Vulnerability
Entry Type
Threat Summary
Threat Type
Crimeware
Platform(s) Affected
Android
Vulnerability
Threat Summary
Crimeware

Earlier today, Promon, a Lookout partner, reported on Strandhogg, a vulnerability in the Android OS that allows for one app to display an Activity in the UI context of another app. This vulnerability can be exploited by attackers through screen overlays, such as in banking trojans, and permission harvesting. During their research phase, Promon reached out to Lookout to help find and identify apps that exploit Strandhogg. After looking through their dataset, Lookout identified 36 malicious apps exploiting the Strandhogg vulnerability, among them variants of the Bankbot banking trojan observed as early as 2017. 

A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions. While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android.

Protecting organizations from banking trojans

Screen overlay attacks on financial institutions have increased significantly in the past 18 months. In February 2018, Lookout researchers uncovered 7,700 samples of BancaMarStealer -- targeting over 60 financial institutions globally.Through their strategic partnership, Lookout and Promon jointly offer mobile app developers the ability to protect the integrity of their apps, impede attackers’ attempts to reverse-engineer code, repackage mobile apps, prevent hooking by malicious code at run time and a variety of screen overlay attacks. Armed with a dataset of over 70M apps, Lookout App Defense can identify various types of malware, including advanced overlay attack trojans, using predictive behavior and binary similarity analysis for apps on a user’s device. When malware is detected, various remediation actions take place based on the severity of the threat-- including blocking authentication, read-only or preventing access to sensitive customer data. 

Lookout customers are protected from Strandhogg. 

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 19, 2023

CVE-2023-4863

Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674

September 20, 2023

Deblind Analyzed: Lookout Identifies and Dissects Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling