Once exploited, it allows malicious apps to camouflage as nearly any legitimate app, with Promon finding that "all of the 500 most popular apps (as ranked by app intelligence company 42 Matters) are vulnerable to StrandHogg".
There's a new Android vulnerability which has the best disguise of posing as legitimate apps. Lookout, another security firm working in conjunction with Promon, identified no fewer than 36 malicious apps already actively exploiting the vulnerability.
Victims can also be tricked into granting the malicious apps additional permissions, which then enable the apps to perform all manner of nefarious activities including intercepting texts and calls, and listening in via a phone's microphone.
"This exploit is based on an Android control setting called "taskAffinity" which allows any app - including malicious ones - to freely assume any identity in the multitasking system they desire".
What makes this security flaw even more unsafe is that, according to the researchers who spotted it, Google has not yet fixed the issue on any version of Android thus directly exposing any Android users to malware created to abuse it.
In the latest such case, they did just that and drained the bank accounts of many.
Chief technology officer at Promon, Tom Hansen told the BBC: "We'd never seen this behavior before". Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.
In a statement, Google said: "We appreciate the researchers' work, and have suspended the potentially harmful apps they identified". "These apps have now been removed, but in spite of Google's Play Protect security suite, dropper apps continue to be published and frequently slip under the radar, with some being downloaded millions of times before being spotted and deleted", researchers say.
Promon reported the Strandhogg vulnerability to the Google security team this summer and disclosed details today when the tech giant failed to patch the issue even after a 90-day disclosure timeline.