Connect with us

Hi, what are you looking for?



‘StrandHogg’ Vulnerability Exploited by Malicious Android Apps

Norwegian app security company Promon on Monday disclosed the existence of a vulnerability that has been exploited by tens of malicious Android apps, and warned that hundreds of popular applications are at risk of being targeted.

Norwegian app security company Promon on Monday disclosed the existence of a vulnerability that has been exploited by tens of malicious Android apps, and warned that hundreds of popular applications are at risk of being targeted.

Promon has dubbed the flaw StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to plunder and hold people for ransom.

According to the company, StrandHogg attacks are possible due to a weakness in Android’s multitasking system, which allows a malicious application installed on the device to pose as a legitimate application in an effort to trick the victim into granting it elevated permissions.

A malicious Android app that does not have root access to the compromised device can exploit StrandHogg to trick the user into granting it the permissions needed to access files stored on the device, the camera, GPS location, SMS messages, contacts, the microphone and more.StrandHogg

Once it has these permissions, the malware can spy on the user through the device’s camera and microphone, read SMSs, phish login credentials (including 2FA codes via SMS), access private photos and videos, obtain the device’s location, access contacts and call logs, and even make calls and record the victim’s conversations.

Mobile security firm Lookout has identified 36 malicious applications exploiting the vulnerability, including variants of the BankBot banking Trojan that have been around since at least 2017.

Promon identified the StrandHogg vulnerability during the analysis of a malware sample designed to target banks in the Czech Republic. The company says that while the sample in question did not originate from the Google Play store, it was installed through several downloaders distributed via the official Android app store.

Promon told SecurityWeek that while Google has removed the downloader applications from the Play store, the tech giant has yet to release any patches for Android. The security firm said it reported its findings to Google this summer.

Advertisement. Scroll to continue reading.

SecurityWeek has also reached out to Google for information regarding a possible patch for Android, but the company appears to be focusing on detecting and blocking malicious apps that exploit StrandHogg.

“We appreciate the researchers work, and have suspended the potentially harmful apps they identified,” a Google spokesperson said. “Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”

Promon says the attack works on all versions of Android, including the latest Android 10, and it has determined that the 500 most popular Android apps are all susceptible to attacks.

In a StrandHogg attack, the malicious app hijacks a legitimate application’s task, which allows it to display a permissions request dialog box that appears to be associated with the legitimate app when in fact it requests permissions needed by the malicious app.

Then, when the legitimate app is opened again by the victim, the malware can, for example, display a fake login page in an effort to phish their credentials.

“In the background, the attack prepares and hijacks the target before the user even sees anything on the screen. Other than some minor flickering on certain devices, the user will only see the benign activity and will have no idea that malicious activity has taken place,” Promon explained.

The attack does not require the device to be rooted and the initial phase does not require any special permissions. Promon has published technical details and a video showing how the StrandHogg attack works.

Related: Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.