December 9, 2019

Strandhogg Vulnerability | Android OS Safeguards

An android device with a cracked screen

Earlier today, Promon, a Lookout partner, reported on Strandhogg, a vulnerability in the Android OS that allows for one app to display an Activity in the UI context of another app. This vulnerability can be exploited by attackers through screen overlays, such as in banking trojans, and permission harvesting. During their research phase, Promon reached out to Lookout to help find and identify apps that exploit Strandhogg. After looking through their dataset, Lookout identified 36 malicious apps exploiting the Strandhogg vulnerability, among them variants of the Bankbot banking trojan observed as early as 2017. 

A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions. While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android.

Protecting organizations from banking trojans

Screen overlay attacks on financial institutions have increased significantly in the past 18 months. In February 2018, Lookout researchers uncovered 7,700 samples of BancaMarStealer -- targeting over 60 financial institutions globally.Through their strategic partnership, Lookout and Promon jointly offer mobile app developers the ability to protect the integrity of their apps, impede attackers’ attempts to reverse-engineer code, repackage mobile apps, prevent hooking by malicious code at run time and a variety of screen overlay attacks. Armed with a dataset of over 70M apps, Lookout App Defense can identify various types of malware, including advanced overlay attack trojans, using predictive behavior and binary similarity analysis for apps on a user’s device. When malware is detected, various remediation actions take place based on the severity of the threat-- including blocking authentication, read-only or preventing access to sensitive customer data. 

Lookout customers are protected from Strandhogg. 

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Platform(s) Affected
Android
Threat Type
Vulnerability
Entry Type
Threat Summary
Threat Type
Crimeware
Platform(s) Affected
Android
Vulnerability
Threat Summary
Crimeware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell