New Unpatched Strandhogg Android Vulnerability Actively Exploited in the Wild

Yolanda Curtis
December 4, 2019

Lookout, another security firm working in conjunction with Promon, identified no fewer than 36 malicious apps already actively exploiting the vulnerability. "Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using", the Norwegian security company explains. "The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected".

The list of possible things hackers can have access to as noted by Promon researchers include listening to the user's conversations and even recording them, read and send messages, take photos, phish login credentials, access photos and files. In all it found that 60 financial institutions had been targeted with various apps that exploited the vulnerability. This is an OS-level that, sadly, hasn't been fixed by Google in any version of Android to date and all Android devices are exposed to this security flaw and malicious intent.

Called Strandhogg, the vulnerability can be used to trick users into thinking they are using a legitimate app but are actually clicking on an overlay created by the attackers.


Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect's ability to protect users against similar issues.

The researchers further note that sophisticated attacks by way of StrandHogg do not require the device to be rooted.

In addition to the threats listed above, an attacker could leverage StrandHogg to access a user's private photos and files, get location and Global Positioning System information, access a user list of contacts, and sift through phone logs.


The vulnerability enables malicious apps to be disguised as legitimate ones by exploiting a bug in the Android multitasking engine.

This vulnerability is "based on an Android control setting called taskAffinity, which allows any app, including the malicious ones, to freely assume any identity in the multitasking system they desire".

Google has responded to news of the vulnerability by saying: "We appreciate the researchers' work, and have suspended the potentially harmful apps they identified".


"The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play", the researchers added.

Other reports by iNewsToday

FOLLOW OUR NEWSPAPER