This Android bug dubbed as “StrandHogg 2.0” (CVE-2020-0096) attacks a device by showing a fake interface, which tricks users to give away sensitive information that includes private SMS messages and photos, stealing of victims’ login credentials, tracking GPS movements, making and/or recording phone conversations, and spying through a phone’s camera and microphone. Unlike the infamous StrandHogg vulnerability that allowed malicious apps to hijack Android’s multitasking feature and “freely assume any identity in the multitasking system they desire”, the new StrandHogg 2.0 flaw is an elevation of privilege vulnerability that enables malware to gain access to almost all Android apps. “If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says. However, unlike StrandHogg that can only attack apps one at a time, StrandHogg 2.0, being the more cunning twin, has learned how to, with the correct per-app tailored assets, “dynamically attack nearly any app on a given device simultaneously at the touch of a button”. What makes it even worse is that StrandHogg 2.0 is “nearly undetectable” making it harder for anti-virus and security scanners to detect and, as such, pose a significant danger to the end-user. Promon predicts that attackers will look to utilise both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible. Similarly, many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa. StrandHogg 2.0 exploits do not impact devices running Android 10. However, with a significant proportion of Android users reported to still be running older versions (Android 9.0 and below) leaves a large percentage (91.8% of Android active users) of the global population at risk. The Promon researchers have published a video demo of StrandHogg 2.0 showing how the exploit would work:
Promon notified Google about the vulnerability on December 4, 2019, allowing Google to come up with a patch for the bug. The search giant issued a patch to Android ecosystem partners during April 2020 and for devices operating on Android 8.0, 8.1, and 9.0. Since, many OEMs do not always release these updates to keep their devices up to date, this puts millions of devices at risk. “We see StrandHogg 2.0 as StrandHogg’s even more evil twin. They are similar in the sense that hackers can exploit both vulnerabilities in order to gain access to very personal information and services, but from our extensive research, we can see that StrandHogg 2.0 enables hackers to attack much more broadly while being far more difficult to detect,” Tom Lysemose Hansen, CTO and founder of Promon said. “Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors. “Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.” A spokesperson for Google has mentioned that the company did not find any evidence of the malware being actively exploited in the wild until today. “We appreciate the work of the researchers, and have released a fix for the issue they identified,” the Google spokesperson said. Further, Google Play Protect, an app screening service built-in to Android devices, will block the apps that try to exploit the StrandHogg 2.0 vulnerability. Promon advises users to update their Android devices with the recently released security updates as soon as possible to fix the vulnerability.