Dubbed StrandHogg 2.0, if the app is installed then the malware can request permissions disguised as legitimate apps to access SMS messages, photos, GPS location and more. When the user accesses their banking app, the malware can insert a mock log-in screen to steal a user’s credentials.
The vulnerability has been included in the May 2020 Android Security Bulletin (CVE-2020-0096) and it represents a significant risk to consumer devices. To understand more about the risk, Digital Journal spoke with Sam Bakken, Senior Product Marketing Manager at OneSpan. Bakken responsible for OneSpan’s mobile app security portfolio. OneSpan develop security and anti-fraud solutions for more than half of the world’s top 100 banks and thousands of other enterprises.
Bakken begins my explaining why smartphone apps are targeted by hackers: “Mobile apps practically have a target painted on their back. Promon’s recent malware vulnerability discovery dubbed “StrandHogg 2.0” is the latest example of what dangerous malware could do if exploited in the wild – possibly exposing Android users’ mobile banking credentials and access one-time-passwords sent via SMS.”
Bakken looks at how apps and devices can be better protected going forwards: “With While the potential for damage is pretty clear, there are steps app developers can take to protect apps and users against threats such as these. Android users should update their device to the latest version of Android. Unfortunately, depending on the device manufacturer and a user’s service provider/carrier that may not be possible. This is why app developers and especially developers of mobile financial services apps need to take note.”
However, there will remain cybersecurity concerns with mobile apps, as Bakken explains: “This latest vulnerability serves as a reminder that there’s no reliable way to know the precise security status of mobile devices on which your mobile app operates. Developers have no real way of knowing whether a user’s device is riddled with vulnerabilities, or compromised with malware or not. This is why advanced security such as app shielding and runtime protection that travels with the app to defend it even in hostile conditions is crucial to a complete, layered approach to mobile app security.”
