StrandHogg: When Malware Means You Need A New Phone

StrandHogg was a malware that first appeared on the scene late last year, that hijacked a user’s data in an insidious way.

By taking advantage in a vulnerability in Android OS multitasking, StrandHogg could lay low in some nondescript app, only to be launched when the user tapped on another legitimate app icon. StrandHogg would then “hijack” that app to steal your data.

Incidently, StrandHogg is the old Norse word for a “Viking tactic of raiding coastal areas to plunder and hold people for ransom.” It may be one of the great malware names – it’s just fun to say!

StrandHogg v1

So if you had downloaded a StrandHogg-infected app, any other apps on your phone could be imitated. This could trick a user into inputing sensitive information into StrandHogg, which would then be used for malicious purposes.

Imagine tapping on the icon for your banking app, only to be greeted by a login screen. If your phone is infected by StrandHogg, this login screen could be a perfect imitation of the login screen created by the StrandHogg malware. Once you enter your credentials, StrandHogg can even start the “real” app you requested, leaving you none the wiser that you just sent your banking information (or GMail login, Facebook password, or whatever) to some bad actors.

Fortunately, for technical reasons, it was relatively easy to keep StrandHogg out of apps in Google’s Play Store (apps downloaded from other sources could easily be infected, though).

Of course, it doesn’t stop there.

StrandHogg v2

StrandHogg v1 was pretty bad. But now StrandHogg v2 is “out”, and it bypasses Google’s Play Store protections, essentially by downloading the “attack code” after the user installs the infected app.

This short video gives a proof-of-concept of the malware:

In case you’re not sure what you’re seeing, here’s what happens:

0:07 – User opens the “App Info” of the StrandHogg v2 malware app. You can see it’s relatively small (under 5 MB) and has no permissions enabled.

0:13-0:59 – User opens 5 standard apps that are installed from the Play Store (Camera, Facebook, Messages, Files, GMail). He then clears them from the app switcher.

1:00 – User opens the StrandHogg v2 malware app (a proof-of-concept, the real one will not be so obvious). After he scrolls down, you can see that the StrandHogg malware has detected several apps that it can “override”. The user selects “Hijack All”.

1:11 – The malware has been activated. You can see the list of hijacked apps as they scroll down.

1:15 – This the actual “attack”. The user clicks on the icons for the legitimate Android apps (Camera, Facebook, Messages, Files, GMail) and the StrandHogg malware app is launched instead.

While the hijacked app screens are obvious on this video, it wouldn’t be challenging for a real bad guy to create a mock-up of the Facebook, or GMail, or financial app, in which you unwittingly input your credentials.

As if that wasn’t bad enough, it’s also possible for StrandHogg to imitate the “Permissions” dialogue as if it was from a legitimate app.

So an app that could conceivably use the camera (like Facebook) could be intercepted by StrandHogg and ask if you want to allow Facebook to use the camera. Since you have granted Facebook this permission in the past, you think nothing about clicking “Allow”, but you’ve actually given the malware camera privileges. The same could happen to your microphone, file access, location, etc.

This is basically as bad as it gets, since it could infect Play Store apps, and leave virtually no trace after an attack.

Vulnerability Closed, But…

However, the StrandHogg v2 vulnerability was closed in an Android security update in May (it’s also been patched in Android 10).

This is great news for owners of a currently-supported Google Pixel phone (sorry, Pixel 1 owners), and people who bought new phones last year.

But if you’re part of the vast majority that doesn’t have Android 10 (10% of phones) or doesn’t get regular security updates from your phone’s manufacturer, you’re vulnerable to this malware from any app in the Play Store.

Since this malware is only patched in the most recent Android version, if you have an Android phone that is not on Android 10, and doesn’t get security updates, you should consider your phone infected with this malware. It’s unfortunate, especially since many Android flagships cost at or over $1,000, but without regular Android OS or security updates, you should consider any data sent by or stored on your phone as compromised.

It’s simply not easy to tell if any of your Play Store apps have been compromised, and even tif they haven’t been yet, there’s nothing stopping a developer from pushing and update enables StrandHogg v2. Remember when CamScanner – a legit app with over 100 million downloads – inserted advertising malware? It can and does happen even with “trustworthy” apps.

Small Addendum:

It’s also worth noting that while StrandHogg v2 was patched, it looks like the StrandHogg v1 vulnerability still remains unpatched on all versions of Android. So even users running Android 10 should not install apps from outside of the Play Store.