Android Malware Extracts Passwords from Any Legit App

John Lister's picture

Security researchers say a serious Android bug could let malware pose as a legitimate app and gain unwanted access to a phone's data and functions. The concept of the 'StrandHogg' bug has been known for several years, but now it's being actively exploited to target online banking.

In simple terms, the bug has two unwanted effects: it can trick users into giving malware sensitive 'permissions' to access the phone, and it can hijack legitimate apps to trick users into handing over login details and sensitive information.

Researchers at Promon explain the bug is with a security setting called "taskAffinity," which is to do with the way a phone keeps track of its "to do" list of tasks when running multiple applications. The idea is that taskAffinity shows which app a particular task relates to, making it easier to rearrange or update the list of tasks into a more efficient order. (Source:

The StrandHogg bug effectively means apps can use a bogus taskAffinity setting. This means that Android treats tasks from the malware as if they were being carried out by a legitimate app.

Permissions System Abused

The first unwanted consequence of this bug is that the malware can "cut in line" when a user taps on the icon to open the legitimate app. The malware can then ask the user to grant a particular permission, such as accessing GPS data or reading text messages. To the user it will appear the legitimate app is asking for the permission, so they will be more likely to grant it.

The second unwanted consequence also involves the malware activating when the user opens a legitimate app. In this case the malware displays a bogus login screen for the legitimate app. Once login details are submitted, data is sent to the malware creator; the malware then closes itself and tells the phone to open the legitimate app. (Source:

The biggest concern with StrandHogg is that it's a bug with Android itself rather than any specific app. Promon says it tested the bug with 500 leading apps and found all were vulnerable.

Malware Spreads Through 'Safe' Apps

The main mitigating factor is that the malware has to get on the phone in the first place.

Promon says in the real world examples it found, the malware wasn't directly in any Google Play Store apps. However, Play Store apps did act as a Trojan "dropper", meaning that once installed on a phone, they then downloaded and installed the malware.

While Google often finds and blocks such dropper apps, the sheer number of apps it deals with means some slip through. One dropper app, which was billed as a PDF creator, had more than a hundred million downloads.

Google is investigating what if any changes to make to Android to fix the StrandHogg bug. In the meantime the best advice for users is:

  • Take extra care when installing apps, even ones in the Google Play store.
  • Think twice when granting permissions or typing in sensitive data.
  • For the most sensitive apps such as online banking, prefer apps that don't require you to type in the entire login details in one go. Instead prefer ones with biometric logins or those which ask you to type specific characters from a password.

What's Your Opinion?

Are you surprised such a bug exists? Does it put you off using Android? Do you take a different approach to security on mobile devices compared with PCs?

Rate this article: 
Average: 5 (6 votes)


gm.warden_4400's picture

Does it surprise me that such a bug exists? In a word, No.
What does surprise me is that it has been known for several years, and nothing was done to remedy the situation or disable the setting the bug exploits.
"Does it put you off using Android?"
If this is the kind of careless disregard they have for their customer base...