Researchers have discovered a serious flaw in the ubiquitous Android operating system that allows malware to masquerade as legitimate applications and deceive users into divulging sensitive data.
Identified by security firm Promon, the malware (dubbed Stranghogg 2.0) infects devices via an illegitimate download and, once onboard, can perform malicious activities via multiple genuine applications.
The malware can also reportedly meddle with application permissions, allowing it to scrape sensitive user data and even track the affected individual’s real-time location.
The vulnerability is present on almost all versions of the Android OS – with the exception of Android 10 (released in September) – accounting for billions of devices.
Strandhogg 2.0 functions by manipulating Android’s multi-tasking mechanism, which enables the user to switch seamlessly between applications without having to reboot them each time.
When a user opens a genuine application, the malware performs a swift hijack and replaces the login page with a rigged overlay, allowing the operators to siphon off any account credentials the user enters.
While the malware does not automatically gain access to all device permissions upon installation, it can also trigger requests to access sensitive data such as messages, photos and location, which the user could then unwittingly approve.
The ability to access both account credentials and SMS messages is a particularly potent combination, because it affords hackers the ability to bypass certain Two-Factor Authentication (2FA) protections used to secure online accounts.
Although Stranghogg 2.0 has the potential to cause serious damage – especially since it is near-impossible to detect – researchers believe the flaw has not been exploited in the wild, a sentiment echoed by Android owner Google.
Promon refrained from publishing any information about the new malware until Google had ample opportunity to develop and issue a fix, to minimise the chances it could be used to mount an attack in the interim.
According to a Google spokesperson, Google Play Protect – the firm’s built-in malware protection service for Android – is now equipped to neutralize Strandhogg 2.0.
While the threat to individual users is reportedly minimal, Android owners are nonetheless advised to update their devices immediately.