Android users were warned to be on their guard after a major vulnerability was discovered in the operating system that could be used to steal banking logins.

Norwegian security firm Promon said the vulnerability, known as StrandHogg, exploits a weakness in Android’s multitasking system that allows malicious apps to pretend to be a legitimate app on the device. It also allows attackers to create a fake version of a login screen, enabling it to harvest confidential login credentials.

The vulnerability affects all versions of Android, including the newest release Android 10, and does not require root access – a privileged control that gives complete access to everything in the operating system.

Promon said it could be exploited in two main ways: a malicious app could pretend to be a legitimate one and ask users to grant permission to access data on the device; or it could run an attack that would display a fake version of an app on a user’s screen when the icon of a legitimate app is clicked.

Users affected by StrandHogg would likely be unaware they had been hit by the vulnerability.

Eavesdrop

Apps that exploit StrandHogg can eavesdrop on users through the microphone, access text messages, contacts, phone logs and files on the smartphone, take photographs, record phone calls and gain access to location or GPS data.

StrandHogg is already being exploited, with a scan of the Play Store by Promon’s partner Lookout revealing 36 malware apps taking advantage of the vulnerability. Among those apps was a version of a trojan known as Bankbot, malicious software that was first observed in 2017 and has seen multiple variants spring up since. Attacks attributed to Bankbot have been found in Europe, the US, Asia Pacific and Latin America.

There were reports that more than financial institutions have been targeted using the technique, but Google did not confirm if any Irish banks were among that number.

‘Tangible proof’

“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” Promon chief technology officer Tom Lysemose Hanse said. “The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected.”

Apps in the Google Play Store are among those at risk from the malware, with Promon saying all the top 500 could be hit by the vulnerability.

In a statement, Google said it appreciated the researchers work, and had suspended the potentially harmful apps identified. “Google Play Protect detects and blocks malicious apps, including ones using this technique,” it said. “Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”

Although the Play Store has blocked some of the malicious apps that use this technique, new ones are emerging all the time, Promon said, with some racking up millions of downloads before being removed.

Promon chief executive Gustaf Sahlman said users should be “extra vigilant” and called on companies to ensure they had “robust app protection in place”.