What is the StrandHogg Vulnerability?

Samuel Bakken, December 2, 2019
What is the StrandHogg Vulnerability?

The BBC published an article this week about a dangerous vulnerability in the Android operating system called "StrandHogg." Security researchers posit that every Android app is affected by the vulnerability which attackers can exploit to access sensitive data, steal banking credentials, and swipe log-in codes sent via SMS. Both rooted and non-rooted devices running Android, including Android 10, are impacted, and attacks on StrandHogg can occur without a users' knowledge. Read on to learn more about StrandHogg, its impact, what it means for mobile app security in general, and how to protect your mobile apps and users against the vulnerability.

The StrandHogg Vulnerability and Task Hijacking in Android

StrandHoggPromon has named the vulnerability StrandHogg and confirmed that the vulnerability exists in all versions of Android, including Android 10. According to Promon, 500 of the most popular apps in the Google Play Store were vulnerable – leading them to a hypothesis that every Android app is vulnerable by default. In later versions of Android, the malware is also capable of exploiting the vulnerability to inject a fake login screen over the top of an authentic app, without a user knowing, and collecting the user’s credentials.

To reiterate – this is not a theoretical attack or something that’s only been proven in a lab. Promon has tangible evidence of attackers taking advantage of this issue and doing some serious damage – especially to a mobile banking user in one case. With the ability to steal a victim’s banking credentials, for example, and remotely access any security codes sent to that same victim via SMS message, they’ve got all they need to access the account.

Promon’s findings stem from work that Pennsylvania State University researchers conducted more than four years ago. At the time, the researchers made Google aware of the issue in Android’s implementation of its taskAffinity attribute. Now more than four years later, criminals are capitalizing on the flaw.

Below is a video produced by Promon showing the StrandHogg exploit in action.

How Do You Like Your Spiders? Android iOS Vulnerabilities' Effects on Mobile App Security

The news about malware targeting the StrandHogg vulnerability reminded me of a cartoon I saw earlier this month. The cartoon was commenting on the everlasting debate about which mobile operating system is more secure – Android or iOS.

I think the punchline is that the debate is unresolvable. It’s a “pick your poison” conundrum. You’re hard-pressed to make an argument that either Android or iOS is more secure than the other. Both are lucrative targets and groups on both sides of the good-or-evil line expend significant resources in the pursuit of cracking these mobile operating systems for surveillance, fraud, or other reasons.

As an example of how valuable these targets and related exploits can be, consider that Zerodium, a company that buys and sells exploits, pays $2.5 million for “1-click” exploits of Android and $1 million for 1-click exploits of iOS. Zerodium then resells those exploits to their customers (it’s rumored Zerodium’s customers are mostly government organizations). That’s a lot of money changing hands.

Zerodium reports that payouts depend on, among other variables, “the popularity and security level of the affected software/system.” In terms of popularity, web traffic analysis vendor StatCounter puts Android’s worldwide market share at 76.67% and iOS’s at 22.09% as of October 2019.

Most people use Android. It makes sense then that exploits of Android might be more valuable. In terms of perceived security, note that Zerodium updated their pricelist at the beginning of September. That was just a few days after Google researchers revealed a serious campaign of iOS exploits in the wild that compromised iOS users who visited a malicious website, resulting in the attackers gaining control over a visitor’s device (the flaws were fixed in iOS 12.1.4). Zerodium's updated price list lead some to speculate that the market now views iOS as less secure.

But, let’s not forget that it seems not a week goes by without a report of an app on the Google Play Store that is either malicious itself or a decoy whose end goal is to install malware on a user’s Android device.

Protecting Mobile Apps and Users against Unpatched Vulnerabilities

Scary story. But how can we all protect ourselves against attacks on flaws such as StrandHogg or other known and unknown vulnerabilities that go unpatched in mobile operating systems? I argue that app developers (both the actual people that develop mobile apps and the businesses that publish those apps) are the heroes we need in this situation.

Businesses that facilitate services through mobile apps need to realize that really, despite their best efforts, both Android and iOS can leave gaps that expose their apps and users to risk. They need to make additional investments in app security technology such as mobile app shielding and runtime protection that continuously monitor a mobile app as it operates – identifying potentially malicious activity such as this and shutting it down before it does harm. OneSpan App Shielding, for example, has included specific protections against task-hijacking attacks that leverage the StrandHogg vulnerability for almost two months now.

Many developers say that they recognize the importance of security but don’t have enough time to do it properly. So businesses need to ensure they’re giving developers the tools they need to integrate security into the mobile apps they develop. This includes:

  • Providing secure code education
  • Bringing in technology that makes regular security testing (static and dynamic analysis) of mobile apps possible
  • Using trusted SDKs from trusted sources that make it easier for developers to implement strong authentication into their apps and mechanisms that ensure the security of data at rest and in transit
  • Using advanced protections such as app shielding and runtime protection that provide an extra layer of protection against advanced attacks in potentially hostile environments such as Android and iOS devices

Before You Put Your Hand in the Box… Protect Yourself  

Tackling the challenge of developing a successful mobile banking application is no easy feat, and development teams must contend with pressures from every direction. It is imperative to get an application built, tested, and published as quickly as possible. However, in the rush to market, security cannot be overlooked. When releasing a mobile app, there’s no way to be sure who will download it or the conditions of the device on which the app will be used. If a device is compromised, your application is at risk.

App shielding with runtime protection mitigates the risks with proven, reliable security that can fit into tight production schedules and budgets.

StrandHogg
White Paper

Defend Against StrandHogg and Other Mobile Threats

To help security and DevSecOps leaders make the case for stronger mobile security, this white paper presents the business rationale and explains how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app. 

Download Now

Sam is Senior Product Marketing Manager responsible for the OneSpan mobile app security portfolio and has nearly 10 years of experience in information security.