Researchers at Norwegian security firm Promon have discovered a serious Android vulnerability which can be exploited to steal login credential, access messages, track location and more.

Called StrandHogg, the vulnerability affects all versions of Android, including Android 10, and the researcher who made the discovery says that it "leaves most apps vulnerable to attacks".

It works by exploiting a problem in Android's multitasking system, enabling malicious app to overlay legitimate apps with fake login screens that fool users into handing over security credentials.

Victims can also be tricked into granting the malicious apps additional permissions, which then enable the apps to perform all manner of nefarious activities including intercepting texts and calls, and listening in via a phone's microphone.

Draining the bank

Promon unearthed the security hole while investigating apps that been found stealing money from bank accounts. In all it found that 60 financial institutions had been targeted with various apps that exploited the vulnerability.

Chief technology officer at Promon, Tom Hansen told the BBC: "We'd never seen this behavior before. As the operating system gets more complex it's hard to keep track of all its interactions. This looks like the kind of thing that gets lost in that complexity".

Worryingly, it was found that most of the top 500 apps in Google Play were vulnerable to being exploited. Lookout, another security firm working in conjunction with Promon, identified no fewer than 36 malicious apps already actively exploiting the vulnerability. This included variants of the BankBot banking trojan which has been around since as long ago as 2017.

Promon published a video about the vulnerability:

OneSpan is a company that specializes in mobile app security, and it recognizes the importance of the discovery. Its senior product marketing manager, Sam Bakken, says: "Promon's recent findings make the vulnerability as severe as it's ever been".

He goes on to say that hackers have clearly been taking advantage of the security hole for quite some time: "Consumers and app developers alike were exposed to various types of fraud as a result for four years. Attackers are aware of the vulnerability and actively exploiting it to steal banking credentials and money".

Google has responded to news of the vulnerability by saying: "We appreciate the researchers' work, and have suspended the potentially harmful apps they identified. Additionally, we're continuing to investigate in order to improve Google Play Protect's ability to protect users against similar issues".

But Promon warns that it is still currently possible to create fake overlay screen to trick users in all versions of Android.