{"id":20709,"date":"2020-06-04T17:45:02","date_gmt":"2020-06-04T21:45:02","guid":{"rendered":"https:\/\/www.psafe.com\/en\/blog\/?p=20709"},"modified":"2022-04-27T14:51:07","modified_gmt":"2022-04-27T18:51:07","slug":"strandhogg","status":"publish","type":"post","link":"https:\/\/www.psafe.com\/en\/blog\/strandhogg\/","title":{"rendered":"StrandHogg 2.0 Steals Data From Real Apps"},"content":{"rendered":"

Named after the Norse term for an ancient Viking technique for coastal raids, StrandHogg 2.0 is a nefarious new update to an earlier trojan-like malware. Its particular way of working undercover and seizing user data is notable. The relentless inventiveness of hackers is very much on display with this latest threat.<\/p>\n

Strandhogg 2.0: Worse Than The Original<\/b><\/h3>\n

\u201cStrandHogg 1.0\u201d used Android\u2019s task affinity to hijack applications\u2014by matching the packageName of any other app, then allowing \u201cTaskReparenting,\u201d the StrandHogg app would be launched, undercover, in place of the target app \u2014 then share the information with the attacker and the targeted app (to go unnoticed).<\/span><\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

Image Source: Promon<\/span><\/i><\/p>\n

Emilio Simoni, research director at dfndr lab<\/a><\/strong> explains:\u00a0 \u201cUsing this method, you would see (for one typical example) what looks like a fully legitimate Gmail icon on your phone, with the usual login dialogue \u2014 just exactly as it would appear when you\u2019re logging back\u00a0 into your account. But once you enter your credentials, you\u2019ve unknowingly shared them with the attacker too<\/strong>. To shield its intervention, your info is <\/span>also<\/span><\/i> sent to Gmail (or whatever other legitimate application has been hijacked), continuing your transaction and leaving no signs you\u2019ve been compromised. The malware comes on board in the form of innocent looking game apps \u2014 one named SuperHappyFunGame \u2014 but it does its worst work undercover.\u201d<\/span><\/p>\n

StrandHogg’s 1.0 weakness was the presence of sketchy task affinity codes in the Android Manifest. Scouring for the 1.0 version required simply scanning the Google Play store for these problematic taskAffinity declarations. But StrandHogg 2.0 doesn’t require any special settings, because the attacking code isn\u2019t necessarily present on the Play Store. Instead, the attacker just downloads the attack code later, once the trojan app or game has taken up residence.<\/span><\/p>\n

StrandHogg 2.0 also hijacks additional data via app permissions<\/strong>: so contacts, photos, and it can even victim\u2019s movements and location are compromised. Simoni advises: \u201cWith the right permissions, StrandHogg 2.0 can even siphon off entire text message conversations, which can enable hackers to defeat two-factor authentication protections.\u201d<\/span><\/p>\n

The Norwegian security firm Promon, the firm that gave the malware its name,\u00a0 suggests that updating Android devices with the latest security updates \u2014 out now \u2014 will fix the vulnerability. Users are advised to update their Android devices as soon as possible.\u00a0<\/span><\/p>\n

\u201cHowever,\u201d Simoni warns, \u201cthe key is protecting yourself from the next StrandHogg.\u00a0 For that, you need a front line of defense<\/strong>.\u201d\u00a0<\/span><\/p>\n

Protecting Your Devices and Data From Unsafe Apps<\/b><\/h3>\n

You should always count on a extra layer of security for your phone. dfndr security<\/a><\/strong>, for example, has a Safe App Installer<\/strong> feature that can operate as your advance-line of defense against apps like SuperHappyFunGame, and the <\/span>next<\/span><\/i> generation of trojans\u00a0 StrandHogg uses. Safe App Installer will also keep you protected from all other malicious apps. \u201cThe feature lets you know if an app is unsafe <\/span>before<\/i><\/strong> you even install it,\u201d Simoni advises, \u201cand our team does the work to constantly update our database of malicious apps.\u201d With Safe App Installer, <\/span>every<\/span><\/i> app you consult before installation will be rated for trust.\u00a0<\/span><\/p>\n

There are two levels of alert if Safe App Installer discovers an issue:<\/span><\/p>\n