December 9, 2019

Strandhogg Vulnerability | Android OS Safeguards

An android device with a cracked screen

Earlier today, Promon, a Lookout partner, reported on Strandhogg, a vulnerability in the Android OS that allows for one app to display an Activity in the UI context of another app. This vulnerability can be exploited by attackers through screen overlays, such as in banking trojans, and permission harvesting. During their research phase, Promon reached out to Lookout to help find and identify apps that exploit Strandhogg. After looking through their dataset, Lookout identified 36 malicious apps exploiting the Strandhogg vulnerability, among them variants of the Bankbot banking trojan observed as early as 2017. 

A common tactic for banking trojans is to trick users into disclosing their banking credentials to the attacker by displaying a fake login screen over legitimate mobile banking apps. Attackers are then able to create fraudulent financial transactions. While Android has safeguards in place to defend against overlay attacks, by using Strandhogg attackers can still mount such an attack even against current versions of Android.

Protecting organizations from banking trojans

Screen overlay attacks on financial institutions have increased significantly in the past 18 months. In February 2018, Lookout researchers uncovered 7,700 samples of BancaMarStealer -- targeting over 60 financial institutions globally.Through their strategic partnership, Lookout and Promon jointly offer mobile app developers the ability to protect the integrity of their apps, impede attackers’ attempts to reverse-engineer code, repackage mobile apps, prevent hooking by malicious code at run time and a variety of screen overlay attacks. Armed with a dataset of over 70M apps, Lookout App Defense can identify various types of malware, including advanced overlay attack trojans, using predictive behavior and binary similarity analysis for apps on a user’s device. When malware is detected, various remediation actions take place based on the severity of the threat-- including blocking authentication, read-only or preventing access to sensitive customer data. 

Lookout customers are protected from Strandhogg. 

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Platform(s) Affected
Android
Threat Type
Vulnerability
Entry Type
Threat Summary
Threat Type
Crimeware
Platform(s) Affected
Android
Vulnerability
Threat Summary
Crimeware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell