Do you sometimes feel stranded when dealing with technology? Researchers from a Norwegian company have found some justification for you. A new bug in the Android operating system allows an opportunity for malicious operations to occur when users believe they are using legitimate apps that were downloaded from the official Google Play Store. The researchers are calling it StrandHogg and it is actively being exploited in the wild…otherwise known as a zero-day exploit.
Originally it was discovered after several banks in the Czech Republic reported money disappearing out of its customers’ accounts. After delving into it more, the original researchers along with others at Lookout, a U.S. based firm, found 36 apps actively exploiting it. They didn’t note which ones, but did say they were already malicious when downloaded from the official app store, then reached out to other sites to download more malicious functionality.
These work by taking advantage of Android’s multi-tasking capabilities in the operating system itself. When one app is started, then another after, the original one goes behind the scenes or out of view. That’s when this exploit takes place.
There is no need to feel stranded on a desert island. There are some things you can do to feel better about your mobile device. To mitigate risk of contracting this bug, be ultra-cautious when selecting apps to download, regardless of where they come from. While the official stores are always safer, there is still some risk. Read the reviews of the apps, get the ones with legitimate developers, and pay attention to the permissions being requested by any app. Your banking application probably doesn’t need to access your microphone, but if you use mobile check deposit, it likely needs access to your camera. On the other hand, an app that controls your crockpot doesn’t need access to much at all. Most apps don’t require administrator rights and you should never give access to them unless you know you need to. When in doubt, always click “no.” For StrandHogg, the seemingly legitimate app will ask for permissions for something else when it’s opened. Because the user actively opened it, it’s really difficult to tell that it’s the maliciousness of it asking for the access. If it gets that access, it can take control of the device.
Never sideload applications either. While some are most certainly OK, many are not. They don’t usually go through as much security scrutiny as the ones in your device’s official stores do. Distrust first. If you know without shadow of a doubt that the app is fine, go ahead. If you don’t know for sure, again, just say “no.”
Google was notified of this issue, but has not fixed it as of writing. It affects all versions of the Android operating system, including the recently released one. When you do see a notification that an update is ready to be applied, do it right away. This should be the case with all products you use. And remember to keep anti-virus software installed and updated on all devices.
Taking proactive steps can keep you from feeling alone in a world of technology overload and security risk.