Android flaw lets hackers use fake login pages to swallow banking data

Just recently, a group of researchers from Norwegian mobile security firm Promon flagged a critical security flaw, called StrandHogg, in Android phones.

Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect's ability to protect users against similar issues. "An attacker can ask for access to any permission, including SMS, photos, microphone, and Global Positioning System, allowing them to read messages, view photos, eavesdrop, and track the victim's movements", researchers John Høegh-Omdal, Caner Kaya, and Markus Ottensmann at app security provider Promon say.

The company claimed the loophole exists in the multi-tasking system of Android and that threat actors have been exploiting it with malicious apps that compromise legit apps and steal confidential login passwords, location, messages, and other private data from them.

All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.

"By exploiting this vulnerability, a malicious app installed on the device can attack the device and trick it so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user's screen". Most app permissions include SMS, camera, microphone and Global Positioning System which in turn gives access to hackers to the user's device.

Former Heisman Trophy-Winning Quarterback Has Died
Sullivan is one of three Auburn Tigers to win the Heisman , the annual award given to college football's most outstanding player. Auburn Director of Athletics Allen Greene: "On behalf of the Auburn family, we are heartbroken by the passing of Pat Sullivan ".

"The attack can be created to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims".

"Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company [Wultra] for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts". This Android vulnerability can even access sensitive information when users login within this malicious interface.

"StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted". Mobile security firm Lookout then also analysed the malicious sample and confirmed that they had identified at least 36 malicious apps in the wild that are exploiting the Strandhogg vulnerability.

Very important to know is that StrandHogg does not spread through applications published in the Google Play Store. Google's been good at rooting them out and removing them, but it is an ongoing battle, the researchers say.

Related News:



Most liked

Doctors successfully brought a dead heart back to life
Still others may be cast aside based on their donors' medical histories, lifestyles or infections they've contracted. This modern approach was first carried out in 2015 by surgeons at the Royal Papworth Hospital , in Cambridge, UK.

These Pixel phones to receive their last update today
The update is available on Pixel 4/4XL, Pixel 3/3XL, Pixel 3a/3a XL, Pixel 2/2XL and the original Pixel/Pixel XL. Google has rolled out Android security updates for December 2019 to all its Pixel devices running on Android 10.

First female pilot in Indian Navy
After earning her wings two days before the Navy Day on Wednesday, Shivangi said she was happy with her achievement. Shivangi was commissioned into the Indian Navy past year after initial training.

US passes Uighur bill, demands sanctions on Chinese officials
Rights groups say that tens of thousands of Muslims are detained in high-security prison camps across Xinjiang. It has warned of retaliation "in proportion" if Chen were targeted.

French fries shortage possibly looming after potato crops damaged by weather
Luckily, there are three states that managed to have significant spud increases: Wisconsin and MI by 6.8% and ME by 9.6%. The United Potato Growers of Canada told Bloomberg that about 18% of the potato harvest had to be abandoned this year.

‘RHOA’ star Porsha Williams is getting married again
Asked by Cohen if she trusts McKinley now, Williams said the two are "still working it out". In the end, though, Williams said that she hopes fans stick by and watch her journey.

Joe Biden says he doesn't need Obama's endorsement
And I was just really touched that she had the courage to answer that question in a different way than she has spoken before. Warren, who appeared emotional, paused before responding, "Yeah". "Yeah", Warren said, pausing.

Doug Pederson: Eagles 'Self-Destructed' Against Dolphins
Doug Pederson has some work to do in order to get the Eagles back into playoff contention, let alone win the NFC East title. The key game in the formula was the Eagles' Week 8 win and the Cowboys' Thanksgiving loss to the Bills.

SA Rappers Listed On Most Streamed South African Artists in South Africa
Toronto hip-hop star Drake earned the artist of the decade honour with more than 28 billion streams of his music. Drake is the king of streaming: the rapper has been named Spotify's most-streamed artist of the decade.

Caitlyn Jenner Reveals How Much Money Kylie Jenner Spends on Security
Opening up about her relationship with Khloe Kardashian , Caitlyn Jenner said she has not spoken to her stepdaughter for six years.

Trump lashes out at North Atlantic Treaty Organisation , again
Trump said that French President Emmanuel Macron's words about NATO's " brain death " are "very nasty". It is very disrespectful". "He's worked long hours, I can tell you, and gone all over the world".

Feds Arrest Programmer for Giving Cryptocurrency Talk in North Korea
The court documents implied that Griffith acknowledged that this would violate sanctions against the communist state. The complaint also says that Griffith discussed "cryptocurrency technologies to evade sanctions and launder money".

Federal appeals court sides with Congress in battle for Trump's bank records
The court noted that the president had not disputed that the bank loaned him at least $130 million when no other bank would do so. That process may not take place if Trump appeals the decision to the Supreme Court.

Breaking! Chennai's Shanmugha Subramaniam locates Vikram Lander on moon- NASA acknowledges
It was in image sequences acquired on October 14 and 15, and November 11 that the impact site could more easily be identified. Subramanian , all it took was two computers and roughly 30 hours of effort to spot what looked like the debris of the Lander.

Concerns about low vaccination rates of children for influenza in Wakefield District
It is too early in the season to determine how effective the current vaccine might be against active flu strains, Schlosser said. This can include your health care provider's office, county health departments, pharmacies, and community vaccination clinics.