Posted on December 3, 2019 at 3:47 PM
Android Malware Overlays Permission Pop-ops on OS
Promon, a security firm, has recently discovered an Android vulnerability that allows hackers to exploit permission on pop-up windows.
According to the security firm, the attacker can request any permission, such as GPS, microphone, photos, or SMS. The flaw has been discovered in the OS, which can deceive users to give out sensitive information from their android devices. The user can stay vulnerable, as the malware could infiltrate very sensitive data from their phones.
The deceit in pop-up features
Normally, permission pop-ups work as a safety feature to protect users against unauthorized access to their sensitive information. If an app requires access to any information on your phone, the permission pop-ups notify you for approval. The handy tool is a good safety feature that can prevent automatic access to your sensitive data from malicious sources.
However, the pop-up is ironically flawed. Some of the pop-ups are now doing the opposite because of the hacking overlay. Hackers now use malicious android software to override the original permission and replacing them with fake permission pop-ups. The user will get the same permission request, but the pop-up does a different thing when given permission.
The users are deceived they are letting a legitimate site have access to their sensitive information. But in the real sense, the malicious app is preparing an attack arsenal on important data and information within the user’s android device.
Promon said the attack would look very genuine to reduce any suspicion from the user. Most times, the attack requests permissions similar to requests from other genuine targeted apps. This makes it difficult to differentiate between the genuine app and a malicious one.
Also, the app can take over the permission pop-up of an android app. In other words, it will be the real android app, but the actions taken on the phone are solely by the malicious app. Also, the app can overlay similar login windows on a banking app or social media app to trick users into handing over their passwords.
Where vulnerability is coming from
The vulnerability from the permission pop-up app is as a result of task Affinity, a multitasking system in Android. It is a situation where a malicious app can override the activities of another app and take the place of such an app on the OS. The mode of operation of the fake app makes it harder to detect and manage.
It completely overhauls the genuine app, while the user still thinks they are getting permission requests from the genuine app. After the user has granted permission, the malware goes into systems and applications within the android to gain access to sensitive information of the user.
Promon discovered this vulnerability after several bank customers in the Czech
Republic complained that their money mysteriously disappeared from their bank
account. A company representative gave Promon a sample of the actual malware
that took advantage of such a flaw.
To execute the attack, the hackers make use of “hostile downloader” and “dropper apps” on the Google Play Store. At first, malicious apps may be seen as harmless. But it starts causing havoc by secretly downloading Strandhogg-based malware into the android device of the user.
Google responds to vulnerability
Google has already reacted to the vulnerability by saying it has deleted the harmful app from its PlayStore. The internet giant has also updated its software for Google Play Protect and android to prevent apps from initiating the Strandhogg attack.
Also, Google said the company is investigating the vulnerabilities and improve the overall safety features of the Google app. Google has reiterated its desire to protect users from such exploitations. The company is still undergoing an investigation to fix the problem permanently.
However, Promon said the OS is still vulnerable because Google hasn’t yet patched it up from Strandhogg attack. Lookout said that the companies involved had not stated the apps that were involved or hacked. So, it’s still not known how far the infiltration has spread.