How to Determine If an Android App Is StrandHogg Malware in Disguise
StrandHogg sounds like something from Quake II , but it’s actually the name of a new Android vulnerability that allows malicious apps to disguise themselves as legitimate apps, ask for permissions, and then do all sorts of things you probably don’t want. For example, one of these apps can read and scan your messages, take photos with the camera, or even phish your logins by presenting you with fake login screens instead of real ones.
How do crappy apps use StrandHogg?
According to Promon security, StrandHogg affects all versions of Android, even a fully updated Android device (at the time of this writing), and does not require root access to function.
Partner Promon Lookout initially identified 36 offending apps that could be installed and then downloaded to a user’s device, and these secondary apps exploited the StrandHogg vulnerability. It’s unclear if these dropper apps were found directly on the Google Play store or not – Lookout later told Ars Technica that none of the 36 apps were on the Google store – but that doesn’t mean others won’t show up and try. do the same in formal or informal ways. As Promondescribes :
“The specific malware sample that Promon analyzed was not on Google Play, but was installed through several dropper / malware downloader apps distributed on Google Play. These apps have been removed, but despite the Google Play Protect security suite, dropper apps continue to publish and often go unnoticed, with some downloaded millions of times before being detected and removed.
Proving the scale of Google Play’s dropper problem, researchers recently reported that the malicious application CamScanner, a PDF creator that contains a malicious module, has been downloaded over 100 million times. ”
How do I know if an app is trying to trick me with StrandHogg?
As much as I hate to say it, common sense is your best guide. If something seems odd about an application you are using, even though you know it is a legitimate application, you should be skeptical about it. Perhaps do not enter your username and password (or payment information) if asked, and do not give the application additional permissions if it unexpectedly asks for them.
Other Promon tips on how to determine if an app is using StrandHogg include:
- An application or service that you are already signed in to asks for a login.
- Permissions pop-ups without app name.
- Permissions requested from an application that should not require or need the permissions it is requesting. For example, a calculator app that asks for a GPS resolution.
- Typos and errors in the user interface.
- Buttons and links in the user interface that do nothing when clicked.
- The return button is not working properly.
As always, you can keep yourself safe – not completely, but more secure – by sticking to the recommended apps in the Google Play Store. If an app seems suspicious by name, description, or the awkwardness of reviews, do a little additional research to test it before using it on your device. And resist the urge to download apps outside of the Google Play Store; you never know what you’re installing on your device, and you lose any potential protection Google might provide. And once a dropper hits your device, it becomes too easy to install something that can then disguise itself as a real application.
How can I get rid of apps that use StrandHogg?
If you think you are stuck with an app using StrandHogg, you can always factory reset your device. Set it up as a new device, rather than restore from a backup, and you’ll be back to where you started.
Otherwise, you’ll have to figure out which app on your device is sketchy. I think the easiest way to do this is to simply start from scratch, or at the very least uninstall all the apps you previously downloaded on your device. You can also try the Lookout Security & Antivirus app, but there is no guarantee that it will be able to detect every app using StrandHogg on your device.