Dec 19th, 2019

A new security vulnerability was recently disclosed by Promon security experts. Dubbed StrandHogg, the vulerability is designed to exploit tens of malicious Android apps. The bug in the Android operating system works by allowing the malicious apps to hijack a legitimate app and then perform its malicious operations on their behalf. 

According to Promon experts, the vulnerability can trick users unaware of permitting malicious apps when they tap and interact with the legitimate ones. The term StrandHogg is derived from an Old Norse term, which refers to a tactic adopted by the Vikings that raid coastal areas intending to plunder and hold people for ransom. You can prevent the bug from intruding by using the best VPN service provider to prevent hackers from stealing your information. 

The StrandHogg vulnerability is also said to show fake login pages when one is taping on a legitimate application.

How StrandHogg Works

The StrandHogg vulnerability details are straightforward to understand even for non-techie users. StrandHogg is a bug in the way the Android Operating System handles switching between tasks that handle different applications or operations. 

StrandHogg is a bug in the OS component that controls multitasking – the mechanism allows the Android operating system to run multiple processes all at once and switch between them when an app goes in or out of the user’s view (screen).

An installed malicious app on an Android phone can easily exploit the StrandHogg vulnerability to trigger malicious code when the user starts another app – through a feature called “task parenting.” 

An innocent user normally taps on a legitimate app but executes code from a malicious one.  The code can further ask for intrusive permission or display phishing pages. Since the actions are prompted to occur after the icon touch, the user will believe the login screen or permissions were created by the legitimate app, instead of the malicious one. The user will proceed to interact with those elements without raising any suspicions. 

Experts said this makes StrandHogg vulnerability attacks nearly impossible to detect, especially for Android users. Also, Promon experts noted that the attack from the bug does not require any root access to run. StrandHogg vulnerability functions on all Android operating systems, including the new release of Android 10.

Additionally, the Norwegian Company, Promon, tested the leading 500 best and mostly used Apps available on the Google play store and discovered that all apps processes could be hijacked to perform malicious attacks through StrandHogg vulnerability. 

The Company researching team wasted no time by notifying the Android Project of the vulnerability in the multitasking component over the summer. Still, it’s unfortunate even after Android OS developers were informed about the bug, and no action was taken.

For instance, in 2015, an academic team from Penn State University published similar research describing a theoretical attack about a task hijacking that can later be used for UI user monitoring, spoofing and denial of service.  


Experts from Promon Company continue to reveal that, after their research, the new security flaw has already been exploited by malware e-criminals in the wild. The company learned of StrandHogg through Eastern European Security Company that the bug has already caused havoc in various quarters. For example, in the Czech Republic, money has been reported to disappear from customer’s accounts.

According to Promon, it’s after the Eastern European partners gave them a sample for its researchers to analyze where they discovered a security flaw caused by StrandHogg vulnerability. 

Later, Promon Company partnered with Lookout, which confirmed the security flaw and realized 36 apps had been exploited. Promon did not list the 36 apps that the bug used but divulged further that none of the apps were available through the Play Store.

What happened is that the 36 apps were installed on user’s gadgets as second stage payloads. First, the users installed other malicious apps from the Play Store, which later downloaded the StrandHogg apps that were already infected for intrusive attacks.

The StrandHogg vulnerability makes it easy for a malicious app to ask for permissions pretending to be a legitimate app. An attacker can request to have access to any permission, including photos, GPS, SMS, and microphone. When you do that as a user, they view your photos, eavesdrop, read messages, and then track your movement.

The attack can seem genuine to the user as it may come designed to ask permissions which wound naturally appear normal like different targeted apps make a request. That lowers the suspicion from the users and unaware grant the access to hackers without their idea thinking it’s an official app they know. Today, for users to be safe from such undetected malicious attacks, they need to install Android VPN Apps to prevent getting their privacy accessed and used by e-criminals unaware. 

Why StrandHogg is a Vicious Bug

The uniqueness of StrandHogg is the sophistication it has when attacking. The bug requires no device to be rooted; instead, it uses a weakness in the multitasking system of Android to enact powerful attacks that gives access to malicious apps masquerading as any other app on the gadget. After further investigation from Promon Company, they realized that all the Android top 500 most popular apps were at risk, and this affected all versions of Android devices, including the latest release.

local_offer    android vulnerability   StrandHogg  

stars Further Reading