This blog post is a continuation of my previous blog on how malware adapts itself and evolves based on conditions it encounters in its environment. StrandHogg and StrandHogg 2.0 overlay malware variants are a perfect example of this. I’ll examine how later StrandHogg variants have become more powerful over time, and how all variants abuse normal Android functions to specifically target apps that use those functions. I’ll also show how StrandHogg uses a combination of trickery, privilege escalation, and abuse of Android platform functions to evade detection, expand its attack surface, and multiply the ways it can be used in mobile fraud.
What is StrandHogg?
StrandHogg is an Android vulnerability found in multiple Android versions in which mobile malware imitates legitimate Android apps and then uses Android functionality in an abusive manner, allowing a malicious app to hijack a legitimate app running on the same device – potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.
StrandHogg uses multiple methods to abuse standard Android functions and exploit software vulnerabilities as part of an overlay attack. In an overlay attack, specially crafted malware is used to trick mobile users to interact with malicious content that is hidden from their view, concealed, covered by another button or window, or disguised in some other way. The malware is usually designed to contextually match up with the app’s logic and interaction patterns in order to deceive the mobile user that the requested action is desirable or beneficial to them. But in reality, the opposite is true (ie: the action that the user performs benefits the attacker, usually in the form of privilege escalations, that could allow them to take control over the environments, assume the user’s identity, or hijack/harvest their data and more).
In order for an overlay attack to be successful, the malicious content must be non-obvious to users and undetectable by malware detection software, and the methods that StrandHogg uses to abuse Android functions do exactly that. You can read more about overlay attacks in this blog. I’ll now explain how StrandHogg does all of these nasty things, how it can exploit both host apps and target apps, and how it abuses normal Android functionality, a classic example of OWASP “Improper Platform Usage”. But don’t worry, with Appdome you can block StrandHogg malware from attacking your Android apps. Keep reading to learn how.
How Does StrandHogg work?
In all variants of StrandHogg, a malicious app installed on an Android device runs in the background, and then uses ‘task hijacking’ to impersonate legitimate apps on the same device. This is normally carried out via an overlay attack. When a normal app icon or button is clicked, a malicious ‘overlay’ is executed instead of what the user thinks they clicked on. Once executed the malicious app tricks victims to grant app-permissions to the malicious app or to send sensitive information to an attacker. This allows attackers to do things like steal pin codes, bypass multi-factor authentication, intercept or read SMS messages, or initiate a click-bot that launches a barrage of automated ad ‘clicks’ in a mobile game or shopping app to generate fraudulent ad revenue).
Here’s a diagram showing how StrandHogg works in 2 common scenarios, The first scenario shows an overlay attack where StrandHogg overlays a fake login screen to steal banking credentials.
Scenario 1: StrandHogg Fake app screen overlay to steal credentials
The second scenario shows how StrandHogg can be used to impersonate a legitimate app to trick users into granting permissions to the malicious app (while the user thinks they are granting permissions to the legitimate app). If successful, such an attack could allow an attacker to take control over an app/environment/account, intercept text messages, record conversations, conduct ransomware attacks and more.
Scenario 2: StrandHogg screen overlay for privilege escalation via permission harvesting
How is StrandHogg 2.0 Different Than Earlier Variants
StrandHogg 2.0 is an updated version of the overlay malware that uses different exploit methods which allow for greater scale and make it harder to detect. Specifically, StrandHogg 2.0 carries out exploits using “reflection“, which allows the malware to assume the identity of legitimate apps dynamically during runtime at the click of a single button, and also in a way that is specifically tailored to the resources/assets of the target apps that StrandHogg encounters. In earlier variants of StrandHogg, all of the required app permissions had to be declared in the Android manifest upfront.
As a result, earlier StrandHogg variants could only be carried out on apps one at a time. StrandHogg 2.0 can be exploited against many apps simultaneously at scale.
How to Block StrandHogg Malware using Appdome
Appdome’s Block App Overlay Attacks feature can be used to protect Android apps against overlay attacks, including StrandHogg and StrandHogg 2. Using Appdome’s no-code mobile app security and fraud prevention platform, developers can build overlay attack protection into any Android app in minutes without coding, and without an SDK, gateway, or separate app running on the device. This equips the Android app with all the capabilities it needs to defend itself against overlay attacks and other forms of mobile fraud.
If you want to learn more about any of these features or see them in action, feel free to request a demo to see how Appdome helps mobile developers automate mobile app security and prevent mobile fraud fast – for any app frameworks, and without changing developer workflows.