Promon, a cybersecurity research firm, is calling the attention of smartphone users to a vulnerability on the Android platform that could jeopardize the safety of their Bitcoin.
In a Twitter post published on December 2, the researchers at the Norwegian company gave an account of how they discovered StrandHogg, an Android vulnerability which, as they described, has affected the top 500 apps on the Play Store, an s capable of affecting all mobile phones irrespective of their Android version.
Serious Android vulnerability leaves most apps vulnerable to attacks. All versions of Android affected (incl. Android 10,) and real-life malware is currently exploiting the flaw. Learn more: https://t.co/RCJGHbjDMy #StrandHogg #Android #Vulnerability
— Promon (@Promon_Shield) December 2, 2019
Masking as Legit apps
As the company explained, StrandHogg poses as a regular app on an infected device, thus allowing its malicious software to steal users’ login details through its fake login screen. As soon as sensitive details are put on the login page, the virus immediately sends them to the attackers, who use them to gain entry into the victim’s accounts.
Essentially, this means that attackers can use StrandHogg to steal anything, varying from Email addresses to cryptocurrency wallet passwords and banking apps. However, as Promon notes, the virus can also hack into a mobile phone’s microphone, read, and even send text messages. It can also read files on the mobile phone along with details on pictures and other media components.
The company added that while they had informed Google about the vulnerability as far back as the summer of 2018, the internet company only took out the affected apps. The malicious app itself exists on all Android versions.
#StrandHogg was misused by the #BankBot Android banking Trojan found by @LukasStefanko on #GooglePlay back in 2017.
Using "taskAffinity", it posed as a Google Play Store app to request credit card details from victims. #ESETresearch https://t.co/pkqsIXT5it pic.twitter.com/sboayBW3gG
— ESET research (@ESETresearch) December 4, 2019
Promon initially found 36 apps on the Google Play Store, which, when installed, loads the additional apps onto the affected devices. These secondary apps are the ones that activate StrandHogg malware.
“The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play. These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted,” Promon asserted in its release.
Disguise is the new norm
To be safe, the company adds that smartphone users should be wary of certain red flags when operating their phones. These include apps constantly requesting for logins, person pop-ups that have app names, typos in user interfaces, malfunctioning “back” buttons, and permission requests from apps which would have no use for them (such as calculators)
These days, malicious codes asking as legitimate apps or websites are becoming commonplace. The mode of operation has formed the backbone of some of the cryptocurrency industry’s top scam methods, including but not limited to ransomware and cryptojacking.
In August, cybersecurity firm Varonis released a research report on Norman, a new form of malware that, among other things, can evade a computer’s task manager software. Per the report, Norman shuts down immediately the task manager is activated and starts when the latter is closed.
With all of these, the demand for security has continued to skyrocket.