‘StrandHogg’ sounds like something out of Quake II, but it’s actually the name of a new Android vulnerability that allows malware apps to masquerade as legitimate apps, ask for permissions, and then perform all kinds of actions you probably wouldn’t want. For example, one of these apps could read and scan your messages, take photos using your camera, or even phish your logins by giving you bogus sign-in screens instead of the real deal.
How do crappy apps take advantage of StrandHogg?
According to the security firm Promon, StrandHogg affects all Android versions, even a fully updated Android device (as of when we wrote this article), and doesn’t require root access to work.
Promon partner Lookout initially found 36 offending apps one could install that then loaded additional apps onto a user’s device, and these secondary apps exploited the StrandHogg vulnerability. It’s unclear whether these “dropper” apps were found directly on the Google Play Store or not—Lookout representatives later told Ars Technica that none of these 36 apps were on Google’s store—but that doesn’t mean that others won’t pop up and attempt to do the same thing via official or unofficial means. As Promon describes:
“The specific malware sample which Promon analyzed did not reside on Google Play but was installed through several dropper apps/hostile downloaders distributed on Google Play. These apps have now been removed, but in spite of Google’s Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted.
Demonstrative of the scale of Google Play’s issue with dropper apps, researchers recently reported that the malicious CamScanner app, a PDF creator which contains a malicious module, has been downloaded more than 100 million times.”
How can I tell if an app is trying to scam me using StrandHogg?
As much as I hate to say it, common sense is your best guide. If something feels strange with an app you’re using, even if that app is one that you know is legitimate, you should be skeptical. Maybe don’t input your login and password (or payment information) if asked—and don’t give an app extra permissions if it asks for them out of the blue.
Promon’s other tips for telling if an app is exploiting StrandHogg include:
- An app or service that you’re already logged into is asking for a login.
- Permission popups that does not contain an app name.
- Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
- Typos and mistakes in the user interface.
- Buttons and links in the user interface that does nothing when clicked on.
- Back button does not work like expected.
As always, you can keep yourself safer—not fully protected, but safer—by sticking to recommended apps on the Google Play Store. If an app seems suspicious in name, description, or awkwardness of reviews, do a little extra research to vet it before you slap it on your device. And resist the urge to sideload apps outside of the Google Play Store; you never know what you’re installing on your device, and you lose any potential protections Google can provide. And once a “dropper” app gets on your device, installing something that can then masquerade as a real app is all too easy.
How do I get rid of StrandHogg-exploiting apps?
If you think you’re stuck with an app that’s exploiting StrandHogg, you can always factory-reset your device. Set it up as a brand-new device, rather than restoring from a backup, and you’ll be back to square one.
Otherwise, you’ll have to figure out which app on your device is sketchy. I think the easiest way to do this is to just start from scratch or, at minimum, delete any apps on your device that you’ve previously downloaded. You can also try installing Lookout’s Security & Antivirus app, but there’s no guarantee that it’ll be able to detect every StrandHogg-exploiting app on your device.