Promon, the leading provider of application shielding technology, responsible for uncovering the critical Android vulnerabilities StrandHogg and StrandHogg 2.0, has discovered a new threat to Android’s worldwide userbase.

Promon tested 384 financial services apps available on the Google Play Store, which included apps for banking, crypto, trading, payment, government services and other financial services. Of the apps tested, Promon discovered that 236 (61.5%) were susceptible to application repackaging, or cloning, attacks. Of these, 154 were banking apps.

Application repackaging allows bad actors to take an existing piece of software, such as a mobile application, and inject their own code on top of the existing source code. This enables them to modify the app’s function and “repackage” it. As a result, the app can now perform additional background tasks outside its intended functions (unbeknownst to the user), including credential stuffing, where a user’s login information is stolen.

Promon’s research also assessed the top most globally downloaded financial services apps, Promon found that of the 92 apps tested, 46 (50%) were successfully able to be modified and repackaged. Promon additionally tested the most popular financial services apps within particular regions around the world. Of the most popular apps in the US, Promon found that of the 54 apps tested, 37 (68.5%) were able to be repackaged. Similarly, for the most popular apps in the UK, 74 were tested and 45 (~61%) were capable of being repackaged. In India, 69 apps were tested, with 47 (68%) susceptible to repackaging attacks.

The full report can be read here: https://promon.co/content/uploads/2022/11/App-Threat-Report-The-State-of-Repackaging-Promon.pdf

The susceptible apps all shared commonalities. Every app lacked the necessary components to allow them to detect if repackaging has occurred. This omission of repackaging detection tools means that not only are apps vulnerable to these attacks, but they also have no way of recognizing that such an attack has even taken place.

Repackaging attacks are becoming increasingly common, particularly within the financial services sector. According to the Nokia 2021 Threat Intelligence Report, last year saw an 80% increase in the number of new banking trojans with this trend set to continue year-on-year. Banking applications are a prime target as, once repackaged, the app would still function as intended, however, bad actors could now perform money transfers and steal personal information, resulting in financial loss for the affected individual.

Benjamin Adolphi, software engineer at Promon responsible for the research comments: “For years now, Android users have been by far the biggest victims of banking malware. The ease of access provided by Android’s SDK has benefited developers but sadly has not gone unnoticed by many cyber criminals. The susceptibility of APK files to tampering should be of great concern to the billions of users within the Android ecosystem who simply want to manage their finances from their mobile.”