Dubbed Strandhogg, the vulnerability resides in the multitasking feature of Android that can be exploited by a malicious app installed on a device to masquerade as any other app on it, including any privileged system app.
Once the malicious app, disguised as a normal app, is delivered on the targeted phone, it exploits the bug and begins to display fake overlays on top of legit apps.
The request showing up on the screen can provide attackers with access to the camera, read and send messages, record phone conversations, get location and Global Positioning System information, steal the contact list and phone logs, and extract all files and photos stored on the compromised device.More news: Oil prices edge higher as Saudi pushes for further supply cuts
By tricking users into thinking they are using a legitimate app, the vulnerability makes it possible for malicious apps to conveniently steal users' credentials using fake login screens, as shown in the video demonstration.
The attacker can request permissions which would be natural for different apps to request, in turn lowering suspicion from victims. Most app permissions include SMS, camera, microphone and Global Positioning System which in turn gives access to hackers to the user's device. Security researchers from Promon have discovered the "Strandhogg" vulnerability which has affected all Android versions including the latest Android 10.
According to the researchers, some of the identified malicious apps were also being distributed through several droppers and hostile downloader apps available on the Google Play Store.More news: Samoa measles outbreak: Police urge public to keep to curfew
"Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company [Wultra] for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts". "These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted", researchers say.
"We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information". Hackers also don't require root access to exploit this vulnerability in Android devices.
"The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected".More news: 'No Time To Die': Daniel Craig's James Bond Returns In Trailer Teaser
Promon said the research built upon that carried out by Penn State University in 2015, which found aspects of the flaw and disclosed it to Google, but the search giant dismissed the vulnerability's severity. Users who had another malicious app on their devices found the StrandHogg-infected apps onboard as well.