The exploit interrupts the flow of an app from launch to welcome screen and forces a user to give a piece of malware powerful permissions before letting the legitimate app run.
"Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware. They found 36 malicious apps that exploit the flaw," said Lars Lunde Birkeland, Promon's Marketing & Communication Director.
The exploit works by highjacking a legitimate app as it's launched on almost any Android phone.
Instead of going to the welcome screen or login page, the exploit allows a piece of malware to display so-called permissions pop-ups, the kind that asks if the app can access your contacts, location, and stored data.
"The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up. The victim gives the malware and the attacker the permissions and then you're redirected to the legit app," said Birkeland.
The researchers found that a Trojan program called BankBot used the exploit to give itself powerful permissions that could intercept SMS messages, log keypresses, forward calls, and even lock a phone until you pay a ransom, a concern for anyone running banking, financial, or wallet apps on their phone.
The exploit can also show a fake login page for some apps on some Android phones but the permissions exploit is far more common.
"From here, through its research, Promon was able to identify the malware was being used to exploit a dangerous Android vulnerability. Lookout, a partner of Promon, also confirmed that they have identified 36 malicious apps exploiting the vulnerability. Among them were variants of the BankBot banking trojan observed as early as 2017," they wrote.
"While Google has removed the affected apps, to the best of our knowledge, the vulnerability has not yet been fixed for any version of Android," wrote the researchers.
"We appreciate the researchers work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate in order to improve Google Play Protect's ability to protect users against similar issues," said a Google spokesperson regarding the exploit.
Global Android Vulnerability Could Grab Wallet and Banking Data
gepubliceerd op Dec 3, 2019
by Coindesk | gepubliceerd op Coinage
Coinbase CEO explains why they sell blockchain analytics software to the U.S. secret service
Coinbase was in the crosshairs over the weekend after SEC filings revealed the business licensed transactional information software to regulators.
Crypto industry still wants a 2020 Ethereum 2.0 launch despite skepticism
A big story in the crypto industry over recent days has been the roll-out of Ethereum 2.0 - an upgrade slated to overhaul the inners workings of the blockchain to make it exponentially more usable and decentralized.
Blockchain Bites: Crypto's Bailout Millions, Brazil's Binance Ban, Lightning's Bug
At least 75 crypto and blockchain firms received approximately $30 million in government-backed PPP loans during the COVID-19 economic crunch while Binance continues to donate personal protective equipment equipment through its charitable wing.
Blockchain Bites: CENTRE's Blacklist, Brazil's Stablecoin Boom and Coinbase Is Going Public?
Coinbase is said to be preparing to go public, CENTRE blasklisted a decentralized address and U.S. sanctions on China could trickle down to crypto brokerages.