According to the BBC, the vulnerability is used to fool users into thinking they are using a legitimate app but are actually clicking on an overlay created by the attackers.
Promon, who discovered the flaw in Google’s Android software, has shared an update, in which StrandHogg is described as a ‘Critical Severity Vulnerability’ – the highest severity rating. According to Promon: “This is the highest severity rating, meaning that a fix is urgently required.”
In the meantime, Google has said it has taken action to close the loophole and was keen to find out more about its origins.
Inn terms of what the issue means for users of Android devices, Sam Bakken, Senior Product Marketing Manager, OneSpan, provides an update for Digital Journal. OneSpan develop security and anti-fraud solutions for more than half of the world’s top 100 banks and thousands of other enterprises.
Bakken says: “It’s great to see Google acknowledging the danger of the StrandHogg Android flaw by labeling it a ‘Critical Severity Vulnerability’ and planning to issue a CVE.”
However, he is less impressed with the technology giant in terms of time, noting: “It’s unfortunate that it took four years to do so because it gave attackers ample time to use the StrandHogg vulnerability to steal Android users’ mobile banking credentials and access one-time-passwords sent via SMS.”
However Bakken is pleased to see the action is being taken: “Luckily, app developers can take action to protect their apps and consumers. Mobile app security technology like app shielding can protect against the StrandHogg vulnerability and other similar security issues that Google still has not fixed in Android.”