An Android vulnerability, dubbed ‘StrandHogg’, was announced recently by security researchers. The vulnerability allows malware to pose as legitimate apps, with users unaware they are being targeted. The StrandHogg attack is very similar to a vulnerability discovered by researchers in 2015 and released at USENIX Security 2015 describing how malicious apps can abuse the "task reparenting" functionality. Since this is a core OS "feature", when an app is targeted (e.g. Facebook), the malicious app can either kill the running app or launch before the targeted app does. As such, the targeted apps do not have the opportunity to deploy any sort of countermeasures or warnings to the user. While there are legitimate uses for this functionality (usually a "service" or "plugin" type of app that extend the functionality of an existing app), threat actors have found a way to abuse the feature.
The 36 malicious apps that the researchers referenced in relation to StrandHogg were not on the official Google Play store. However, there have been malicious apps that can install other malicious code (these apps are called droppers) so, in theory, if anyone installed a dropper app before Google pulled it, another app could have been installed.
NowSecure believes the risk is quite low; however, if you’d like to review suspicious apps more closely, we recommend the following:
- Use static analysis on the .apk to detect if it is maliciously targeting other apps.
- Specifically, the AndroidManifest.xml has indications of task hijacking: the combo of android:allowTaskReparenting="true" and android:taskAffinity="com.facebook.katana"
- this is not the .apk's package name but the app it is targeting, in this case Facebook.
- Or the malicious app can launch the activity with an intent-flag of Intent.FLAG_ACTIVITY_NEW_TASK.
In these instances, the malicious activity will be placed within and on top of the target's (FaceBook in the above example) task.
If you have any questions or would like to consult with NowSecure mobile app security experts further regarding the StrandHogg vulnerability, please don’t hesitate to reach out to your Customer Success Manager or firstname.lastname@example.org for assistance.