Wultra helped to identify a banking login stealing malware StrandHogg, which exploits security weakness found in Google’s Android OS.

Over 40 financial institutions were targeted by malware which can steal banking login credentials from Android mobile apps.

Through close cooperation with our technology partner, the Nordic company Promon, we helped to identify a dangerous Android vulnerability (dubbed StrandHogg) which was recently reported on BBC.

Our security researchers at Wultra identified this malware, which tricks users in a very original way, through an overlay screen created by the attackers. Several infected apps within our Wultra’s “Threat Intelligence database” targeted a total of over 60 package names of 40 financial institutions, with the most significant number of occurrences in several countries across Europe (Poland, Spain, Czech Republic and Austria, to name a few).

An infected mobile app, using the StrandHogg vulnerability, hijacks a legitimate app and performs malicious operations on its behalf. The infected apps that we have detected were not available through the official Play Store; what we found out is that users initially installed other malicious apps (“droppers”) via Google Play Store, which then downloaded a second-stage payload app capable of more intrusive attacks, by exploiting the StrandHogg vulnerability.

Wultra worked closely with Promon, a Norwegian-based company specialized in in-app security protection and provided them with a sample of the malware. Promon then further explored the scope and potential of this malicious hijacking bug through the Android OS and, together with Lookout (a US-based mobile security company), the vulnerability was confirmed through the discovery of 36 apps that were currently exploiting this security flaw.

Promon also confirmed, once its security researchers tested the Top 500 most popular Android apps on Google Play Store, that all apps’ processes can be hijacked to perform malicious actions via a StrandHogg attack.