Android flaw lets hackers use fake login pages to swallow banking data

Android 'spoofing' bug helps targets bank accounts

Just recently, a group of researchers from Norwegian mobile security firm Promon flagged a critical security flaw, called StrandHogg, in Android phones.

Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect's ability to protect users against similar issues. "An attacker can ask for access to any permission, including SMS, photos, microphone, and Global Positioning System, allowing them to read messages, view photos, eavesdrop, and track the victim's movements", researchers John Høegh-Omdal, Caner Kaya, and Markus Ottensmann at app security provider Promon say.

The company claimed the loophole exists in the multi-tasking system of Android and that threat actors have been exploiting it with malicious apps that compromise legit apps and steal confidential login passwords, location, messages, and other private data from them.

All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.

"By exploiting this vulnerability, a malicious app installed on the device can attack the device and trick it so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user's screen". Most app permissions include SMS, camera, microphone and Global Positioning System which in turn gives access to hackers to the user's device.

Vikings running back Dalvin Cook suffers injury on third-quarter fumble
Because they sure look to have everything necessary to win when things get really serious starting next month. So here are the Seahawks now sitting at 10-2 with a win on the road over the 49ers in their back pocket.

"The attack can be created to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims".

"Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company [Wultra] for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts". This Android vulnerability can even access sensitive information when users login within this malicious interface.

"StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted". Mobile security firm Lookout then also analysed the malicious sample and confirmed that they had identified at least 36 malicious apps in the wild that are exploiting the Strandhogg vulnerability.

Very important to know is that StrandHogg does not spread through applications published in the Google Play Store. Google's been good at rooting them out and removing them, but it is an ongoing battle, the researchers say.

Related News:



Most liked

Doctors successfully brought a dead heart back to life
Still others may be cast aside based on their donors' medical histories, lifestyles or infections they've contracted. This modern approach was first carried out in 2015 by surgeons at the Royal Papworth Hospital , in Cambridge, UK.

Former Heisman Trophy-Winning Quarterback Has Died
Sullivan is one of three Auburn Tigers to win the Heisman , the annual award given to college football's most outstanding player. Auburn Director of Athletics Allen Greene: "On behalf of the Auburn family, we are heartbroken by the passing of Pat Sullivan ".

These Pixel phones to receive their last update today
The update is available on Pixel 4/4XL, Pixel 3/3XL, Pixel 3a/3a XL, Pixel 2/2XL and the original Pixel/Pixel XL. Google has rolled out Android security updates for December 2019 to all its Pixel devices running on Android 10.

First female pilot in Indian Navy
After earning her wings two days before the Navy Day on Wednesday, Shivangi said she was happy with her achievement. Shivangi was commissioned into the Indian Navy past year after initial training.

Best iPhone XR Deal for Black Friday 2019
Thanks to a deal from Carphone Warehouse, you can now get the iPhone 11 Pro for just £49 a month and £99 upfront . The code takes £25 off the up-front price of the Apple iPhone 11 64GB while you enter TRIPH11 on the checkout.

Slovakia remembered the World AIDS Day
Since the beginning of the year, more than 13,000 cases of HIV infection and over 6,000 cases of AIDS were observed in Ukraine. HIV is a lifelong diagnosis, but the disease is better understood than even just a few years ago and treatment is available.

Google co-founder Larry Page stepping down as CEO of Alphabet
He says he will continue to focus on Google while helping manage Alphabet's long term focus and future challenges. The geeky impulses carried into his adulthood, leading him to once build an inkjet printer out of Legos.

Facebook takes down Conservative ad that featured BBC content | #TheCube
Requested in regards to the letter through the CBS interview , Zuckerberg stated "this is clearly a very complex issue". Facebook acquiesced, however, due to " intellectual property " concerns.

Qualcomm unveils new Snapdragon platforms
Qualcomm has been teasing that it might supply Snapdragon chips with built-in 5G modems since February. What's interesting is that there's going to be a second 5G chipset platform: the Snapdragon 765/765G.

Trump lashes out at North Atlantic Treaty Organisation , again
Trump said that French President Emmanuel Macron's words about NATO's " brain death " are "very nasty". It is very disrespectful". "He's worked long hours, I can tell you, and gone all over the world".

Feds Arrest Programmer for Giving Cryptocurrency Talk in North Korea
The court documents implied that Griffith acknowledged that this would violate sanctions against the communist state. The complaint also says that Griffith discussed "cryptocurrency technologies to evade sanctions and launder money".

Ukrainian president slams Trump decision to delay military aid
He presses Ukraine for investigations into Democrats as USA aid to Ukraine is withheld. If you're our strategic partner, then you can't go blocking anything for us.

'2010s is set to the hottest decade in history'
The WMO statement warns ice is melting, sea levels are rising at record rates, and floods and heatwaves are becoming more regular. By the end of the year, the WMO said new displacements due to weather extremes could reach 22 million.

Federal appeals court sides with Congress in battle for Trump's bank records
The court noted that the president had not disputed that the bank loaned him at least $130 million when no other bank would do so. That process may not take place if Trump appeals the decision to the Supreme Court.

Liam Hemsworth Googled 'Thirst Trap' After Learning He Posted One
Meanwhile, as both Miley and Liam's family love and support them a lot, the Cyrus family hasn't mentioned a word about Liam. The amusing Instagram exchange came amid the Hunger Games star's PDA-packed romance with Dynasty actress Maddison Brown .