StrandHogg flaw lets hackers hijack nearly any Android phone

The StrandHogg logo superimposed on a Samsung Galaxy S10.
(Image credit: Tom's Guide/Promon)

UPDATED with comment from Google.

There's a new Android security flaw that affects all versions of Android, including Android 10, and cybercriminals are using it to break into online bank accounts and steal money from users. 

The vulnerability, called StrandHogg, involves Android's core multitasking processes and affects unrooted and rooted phones alike. Although Google has known of StrandHogg for at least three months, no fix has yet been delivered.

"StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted," says a report posted earlier this week by researchers at Norwegian security firm Promon, who found and named the bug. 

"To carry out attacks, the attacker doesn't need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner."

Hackers exploiting StrandHogg can "listen to the user through the microphone; take photos through the camera; read and send SMS messages; make and/or record phone conversations; phish login credentials; get access to all private photos and files on the device; get location and GPS information; get access to the contacts list [and] access phone logs," according to the report.

UPDATE: In response to a query from Tom's Guide, Google provided this statement:

"We appreciate the researchers work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we're continuing to investigate in order to improve Google Play Protect's ability to protect users against similar issues."

We've repeated our question to Google about when a patch might be forthcoming, and will update this story again if we receive an answer. 

How to protect yourself from the StrandHogg flaw

If you're an Android user, it won't be easy to tell if your phone has been infected by StrandHogg-exploiting malware. However, you should get suspicious if an app to which you're already logged in, such as Facebook or Google, asks again for login credentials, or if an app seems to make excessive permission requests.

Running one of the best Android antivirus apps should protect you for the most part, especially if you download apps only from the Google Play Store and grant no apps permissions to download apps from anywhere else. 

Promon posted a video showing how StrandHogg could steal login credentials from someone using a Samsung Galaxy S10 phone running Android 10.

San Francisco security firm Lookout Mobile Security partnered with Promon and found 36 apps exploiting the StrandHogg flaw. Many were banking Trojans designed to steal money from online bank accounts.   

None of those 36 apps were in the Google Play Store, but there's a twist. Sticking to the Google Play Store for apps won't be enough to protect you, because Promon found several "dropper" apps in Google Play that, once installed, would then install StrandHogg-exploiting apps without the users' knowledge in a two-step process.

The StrandHogg flaw, named after the Vikings who would raid beach towns, is pretty easy to grasp. It lets a malicious app hijack the fullscreen-display process from another app and seize control of the screen without the user's knowledge.

So, for example, if you tapped the Facebook icon on your Android phone, a StrandHogg-exploiting app could seize control of the screen from Facebook before Facebook could display a fullscreen image. 

The malicious app could then display a Facebook login page and get you to input your email address and password, which the malicious app could then send to a remote attacker.

The StrandHogg phishing mechanism.

The StrandHogg phishing mechanism. (Image credit: Promon)

That's a classic phishing attack, and StrandHogg makes it possible on all versions of Android. On Android 6 Marshmallow and later, it gets worse: A StrandHogg-exploiting malicious app can also ask you for various system permissions while pretending to be a known benign app. You could inadvertently give hackers nearly total control over your phone.

The StrandHogg permissions-harvesting mechanism.

The StrandHogg permissions-harvesting mechanism. (Image credit: Promon)

These attacks seem to work on all legitimate Android apps. Promon tested 500 of the most popular Android apps and couldn't find a single one that was immune.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Android Phones
CAD renders of the Google Pixel 10
Pixel 10 could include a repurposed ‘Pixie’ assistant — but what actually happened?
Galaxy S25 Edge dummy unit from side angle
Samsung Galaxy S25 Edge design just shown off on video from every angle with seemingly accurate dummies
Google Pixel 9a next to Galaxy A56
Google Pixel 9a vs. Samsung Galaxy A56: Which sub-$500 phone should you get?
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Samsung Galaxy Z Flip 6 review.
Galaxy Z Flip 7 could finally fix the one thing that has prevented me from using Samsung’s flip phones
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
Latest in News
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — follow the latest updates live
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
COLUMBUS, OHIO - JANUARY 26: Amber Glenn skates in the Women's Free Skate during the U.S. Figure Skating Championships at Nationwide Arena on January 26, 2024 in Columbus, Ohio. (Photo by Matthew Stockman/Getty Images)
Watch World Figure Skating Championships 2025 online – live stream, schedule, what TV channel is it on?