StrandHogg Android Vulnerability Allows Malicious Apps to Pose as Legitimate Ones

An Android vulnerability has been discovered that allows malicious apps to disguise themselves as legitimate apps and gain full permissions. The vulnerability is being actively exploited by dozens of malicious apps.

In order for the flaw to be exploited, a malicious app must first be downloaded. Once on the device, it can masquerade as any legitimate app on the device. When the app icon of a legitimate app is clicked, the malware is displayed and will ask for permissions to be granted, such as allowing the app to send SMS messages or have access to the camera and microphone.

Since the user will have clicked on a legitimate app, they will most likely think they are giving permission to the app they have clicked, rather than the malware. After permissions have been granted, the user will be directed to the app they have clicked and will be none the wiser about what has just happened.

The flaw was discovered by researchers at Promon, who found that all of the top 500 most popular Android apps are susceptible as the flaw is in the Android system. The flaw also affects all Android versions, including Android 10. The vulnerability can also be exploited on all devices, not just those that have been rooted.

The vulnerability is present in the multitasking system of Android in a control setting called taskAffinity. The flaw allows any app to assume any identity in the multitasking system.

The flaw, which has been named StrandHogg by the researchers, has yet to be addressed by Google, so all devices are vulnerable. The flaw is being actively exploited by the BankBot banking Trojan and 36 malicious apps, according to Lookout. The earliest known cases of exploitation of the flaw date back to 2017.

Researchers at Promon note that the malware sample they analyzed was being distributed by malware droppers that have already been removed from the Google Play Store; however, it is possible that other apps are still active and may have been downloaded by thousands or even millions of users.

The capabilities of any malware that exploits the flaw will be dependent on the permissions that are granted by the user, but since it is possible for the attackers to be granted all manner of permissions, they could perform any number of malicious actions including accessing phone logs, contact information, reading and sending SMS messages (including obtaining 2FA codes), listening in to conversations via the microphone, accessing photos, taking photos, obtaining GPS information, and much more.

The researchers have found evidence that the flaw is being exploited to obtain sensitive information from infected devices. Unfortunately, there is no easy way to determine whether the flaw has already been exploited on an Android device nor is there any reliable way to block an attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of