Global Android Vulnerability Could Grab Wallet and Banking Data

gepubliceerd op by Coindesk | gepubliceerd op

The exploit interrupts the flow of an app from launch to welcome screen and forces a user to give a piece of malware powerful permissions before letting the legitimate app run.

"Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware. They found 36 malicious apps that exploit the flaw," said Lars Lunde Birkeland, Promon's Marketing & Communication Director.

The exploit works by highjacking a legitimate app as it's launched on almost any Android phone.

Instead of going to the welcome screen or login page, the exploit allows a piece of malware to display so-called permissions pop-ups, the kind that asks if the app can access your contacts, location, and stored data.

"The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up. The victim gives the malware and the attacker the permissions and then you're redirected to the legit app," said Birkeland.

The researchers found that a Trojan program called BankBot used the exploit to give itself powerful permissions that could intercept SMS messages, log keypresses, forward calls, and even lock a phone until you pay a ransom, a concern for anyone running banking, financial, or wallet apps on their phone.

The exploit can also show a fake login page for some apps on some Android phones but the permissions exploit is far more common.

"From here, through its research, Promon was able to identify the malware was being used to exploit a dangerous Android vulnerability. Lookout, a partner of Promon, also confirmed that they have identified 36 malicious apps exploiting the vulnerability. Among them were variants of the BankBot banking trojan observed as early as 2017," they wrote.

"While Google has removed the affected apps, to the best of our knowledge, the vulnerability has not yet been fixed for any version of Android," wrote the researchers.

"We appreciate the researchers work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate in order to improve Google Play Protect's ability to protect users against similar issues," said a Google spokesperson regarding the exploit.