DevSec Blog | How to Block StrandHogg Malware on Android Apps

How mobile malware adapts and changes based on the environment and how that enances its ability to prey on ususpecting users.

Overlay Attacks — a New Spin on an Old Trick —How StrandHogg innovates To Stay Relevent

This blog post is a continuation of my previous blog on how malware adapts itself and evolves based on conditions it encounters in its environment. StrandHogg and StrandHogg 2.0 overlay malware variants are perfect examples of this. I’ll examine how later StrandHogg variants have become more powerful over time, and how all variants abuse normal Android functions to specifically target apps that use those functions. I’ll also show how StrandHogg uses a combination of trickery, privilege escalation, and abuse of Android platform functions to evade detection, expand its attack surface, and multiply the ways it can be used in mobile fraud.

What is StrandHogg?

StrandHogg uses multiple methods to abuse standard Android functions and exploit software vulnerabilities as part of an overlay attack. In an overlay attack, specially crafted malware is used to trick mobile users to interact with malicious content that is hidden from their view, concealed, covered by another button or window, or disguised in some other way. The malware is usually designed to contextually match up with the app’s logic and interaction patterns in order to deceive the mobile user that the requested action is desirable or beneficial to them. But in reality, the opposite is true (ie: the action that the user performs benefits the attacker, usually in the form of privilege escalations, that could allow them to take control over the environments, assume the user’s identity, or hijack/harvest their data and more).

In order for an overlay attack to be successful, the malicious content must be non-obvious to users and undetectable by malware detection software, and the methods that StrandHogg uses to abuse Android functions do exactly that. You can read more about overlay attacks in this blog. I’ll now explain how StrandHogg does all of these nasty things, how it can exploit both host apps and target apps, and how it abuses normal Android functionality, a classic example of OWASP “Improper Platform Usage”. But don’t worry, with Appdome you can block StrandHogg malware from attacking your Android apps. Keep reading to learn how.

How Does StrandHogg work?

Here’s a diagram showing how StrandHogg works in 2 common scenarios, The first scenario shows an overlay attack where StrandHogg overlays a fake login screen to steal banking credentials.

Scenario 1: StrandHogg Fake app screen overlay to steal credentials

The second scenario shows how StrandHogg can be used to impersonate a legitimate app to trick users into granting permissions to the malicious app (while the user thinks they are granting permissions to the legitimate app). If successful, such an attack could allow an attacker to take control over an app/environment/account, intercept text messages, record conversations, conduct ransomware attacks and more.

Scenario 2: StrandHogg screen overlay for privilege escalation via permission harvesting

How is StrandHogg 2.0 Different Than Earlier Variants

As a result, earlier StrandHogg variants could only be carried out on apps one at a time. StrandHogg 2.0 can be exploited against many apps simultaneously at scale.

How to Block StrandHogg Malware using Appdome

If you want to learn more about any of these features or see them in action, feel free to request a demo to see how Appdome helps mobile developers automate mobile app security and prevent mobile fraud fast — for any app frameworks, and without changing developer workflows.

Originally published at on June 23, 2021.



ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.