Researchers find vulnerability to take over Android permissions

Security researchers have found a vulnerability in Android that allows apps to take over the permissions of other apps. According to the discoverers, the leak is also actively exploited, but not by apps in the Play Store.

The vulnerability was discovered by the Norwegian security company Promon. The company calls the vulnerability Strandhogg. It allows infected apps to take over the permissions of legitimate applications. For example, via such apps an attacker can access text messages in order to intercept 2FA codes, or access files on the disk.

The vulnerability is in the way Android switches between processes. Through a process called ‘taskAffinity’, an app can take over the identity of another task that is currently running. The bug can then become active the moment a user starts a legitimate app, whereupon the fake app can ask for certain permissions. It then looks like the legitimate app is asking for that permission. Users would therefore be more inclined to accept it.

In addition to asking for permissions, this method also allows you to display a phishing page to steal a user’s login details. The method works on any version of Android, including versions that don’t have root access. The researchers tested the method on the 500 most popular Android apps in the Play Store and exploited the vulnerability on all those apps.

The applications were not in the Play Store itself, but could be downloaded via a dropper app. These are applications that are in the Play Store, but install one or more apps from outside it. Such apps pretend to be legitimate apps, but are typically used to install malware. The applications have since been removed by Google, the discoverers say.