StrandHogg 2.0 flaw allows hackers to hijack almost any Android app

The second-generation Android vulnerability is ‘even more dangerous and difficult to detect'

A red Android mascot

Google has patched a critical vulnerability, resembling 2019’s infamous StrandHogg flaw, that allows hackers to hijack almost any app on the Android mobile operating system

The flaw, assigned CVE-2020-0096, has been dubbed StrandHogg 2.0 due to the similarities with the original flaw discovered in December. The successor allows for broader attacks and is far more difficult to detect, rendering it, in effect, an “evil twin”, according to Promon researchers.

The original StrandHogg exploited the Android control setting ‘TaskAffinity’ which hijacks Android’s multitasking feature and therefore left traceable markers. The newer iteration is executed through reflection, which means malicious apps can assume the identity of legitimate apps while remaining completely hidden.

Once a malicious app is installed on a device, hackers can gain access to private SMS messages and photos, track GPS movements, steal login credentials, make or record phone conversations, and spy through a phone’s camera and microphone.

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” said Promon founder and CTO Tom Lysemose Hansen.

“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”

While StrandHogg can only attack apps one at a time, the recently-discovered version attacks nearly any app on a given device simultaneously, the researchers found. Strandhogg 2.0 also doesn’t require root access or permissions from the device to be executed.

By exploiting the flaw, a malicious app installed on a device can trick the user so that when an app icon of a legitimate app is selected, the malicious version is instead shown on the display. If victims input login credentials, those are immediately sent to the attacker, who can access and control security-sensitive apps.

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

StrandHogg 2.0 is also more difficult to detect because, unlike in the original flaw, attackers don’t need to explicitly enter the apps they are targeting into the Android Manifest, which becomes visible within an XML file, which shows a declaration of permissions. Malware exploiting StrandHogg 2.0 will also be harder for antivirus software to detect.

Exploits don’t impact devices running the Android 10 operating system, although a significant portion of Android users still run older versions of the OS, meaning a large swathe of the public is at risk. Figures from Google show that 91.8% of Android users are on version 9.0 or earlier.

Promon was notified of the vulnerability in early December last year and rolled out a patch to the Android ecosystem partners in April 2020. A security patch for Android versions 8.0, 8.1 and 9 are set to be rolled out this month. 

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What should you really be asking about your remote access software?

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021