StrandHogg 2.0 flaw allows hackers to hijack almost any Android app

A red Android mascot

Google has patched a critical vulnerability, resembling 2019’s infamous StrandHogg flaw, that allows hackers to hijack almost any app on the Android mobile operating system.

The flaw, assigned CVE-2020-0096, has been dubbed StrandHogg 2.0 due to the similarities with the original flaw discovered in December. The successor allows for broader attacks and is far more difficult to detect, rendering it, in effect, an “evil twin”, according to Promon researchers.

The original StrandHogg exploited the Android control setting ‘TaskAffinity’ which hijacks Android’s multitasking feature and therefore left traceable markers. The newer iteration is executed through reflection, which means malicious apps can assume the identity of legitimate apps while remaining completely hidden.

Once a malicious app is installed on a device, hackers can gain access to private SMS messages and photos, track GPS movements, steal login credentials, make or record phone conversations, and spy through a phone’s camera and microphone.

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” said Promon founder and CTO Tom Lysemose Hansen.

“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”

While StrandHogg can only attack apps one at a time, the recently-discovered version attacks nearly any app on a given device simultaneously, the researchers found. Strandhogg 2.0 also doesn’t require root access or permissions from the device to be executed.

By exploiting the flaw, a malicious app installed on a device can trick the user so that when an app icon of a legitimate app is selected, the malicious version is instead shown on the display. If victims input login credentials, those are immediately sent to the attacker, who can access and control security-sensitive apps.


Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service


StrandHogg 2.0 is also more difficult to detect because, unlike in the original flaw, attackers don’t need to explicitly enter the apps they are targeting into the Android Manifest, which becomes visible within an XML file, which shows a declaration of permissions. Malware exploiting StrandHogg 2.0 will also be harder for antivirus software to detect.

Exploits don’t impact devices running the Android 10 operating system, although a significant portion of Android users still run older versions of the OS, meaning a large swathe of the public is at risk. Figures from Google show that 91.8% of Android users are on version 9.0 or earlier.

Promon was notified of the vulnerability in early December last year and rolled out a patch to the Android ecosystem partners in April 2020. A security patch for Android versions 8.0, 8.1 and 9 are set to be rolled out this month.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.