Researchers at the app security technology provider Promon recently revealed a dangerous flaw christened “StrandHogg” they allege is present in every version of Android up to and including Android 10, released in September 2019. The researchers claim that 500 of the most popular Android apps were vulnerable and speculate that every Android app is vulnerable by default.
Promon obtained a sample of malware discovered in the wild that exploits this vulnerability to gain access to a user’s SMS messages, photos, geolocation, contacts, phone logs, camera and microphone. In addition, the malware can exploit the vulnerability to overlay a counterfeit log-in screen over a legitimate app, unbeknownst to the user, and send any credentials the user enters straight to an attacker.
As you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials in combination with access to one-time-passwords sent via SMS. According to researchers, the customers of 60 different financial institutions were the target of malware designed to exploit the vulnerability since 2017.
The company’s findings expand upon prior research from Pennsylvania State University that identified a “task hijacking” attack facilitated by flaws in the design of Android multi-tasking. At the time, the team of university researchers provided proof-of-concept exploit code and notified Google of the issue, but the attacks were mostly theoretical and Google didn’t take action.
Four years later, Promon has evidence of attackers actively using that vulnerability to spy on users and/or steal money in the wild. With this new revelation, the vulnerability is as severe as it has ever been—and consumers and app developers alike remained exposed for four years. Consumers are especially powerless to protect themselves in these situations.
Luckily, app developers can take action to protect themselves and the rest of us users.
In-App Protection Can Help
Various mobile app security technologies under the umbrella of in-app protection—including app shielding and runtime protection—make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS. The industry analyst firm Gartner recently predicted that by 2022, at least 50% of successful attacks against mobile apps could have been prevented using in-app protection.
In-app protection should not take the place of mobile application security testing or penetration testing, but it does make it easier for developers to design security into their apps from the beginning. And, especially relevant in this case, these security technologies harden an app deployed in unknown, untrusted, potentially hostile environments, such as an Android device affected by the StrandHogg vulnerability and susceptible to these task hijacking attacks.
In-app protection and app shielding also protect against repackaged mobile apps, script injection, SMS grabbing and more. And best of all, the protection is mostly invisible to users. These technologies are non-intrusive security guards—blending into the background, but continuously monitoring for any suspicious behavior and stepping in only when necessary.
Neither Android nor iOS will ever be 100% secure. And neither Google nor Apple will take immediate action on every single security flaw identified in their platforms, leaving developers and users exposed for a period of time (some exposure windows being longer than others).
Therefore, it’s more important than ever for any business that deploys or publishes critical and high-value mobile apps to take these windows of exposure seriously and go beyond basic security that’s too reliant on either Android or iOS. Taking the issue seriously requires investments in mobile app security that goes above and beyond by adding layers of protection to lessen the exposure of unknown and unfixed flaws in the mobile operating systems.