New Android Bug Strandhogg 2.0 lets malicious apps pose a legitimate app and steal victim data and affects all smartphones, tablets, smart TVs running Android 9.0 and below
Security researchers have discovered a new bug called Strandhogg 2.0 which can be used by hackers and cybercriminals to push malware into your Android smartphone disguised as a legitimate App. The bug, Strandhogg 2.0 is a distant cousin of an earlier bug Strandhogg discovered in 2019.
What is Strandhogg 2.0
Strandhogg 2.0 is a new bug discovered by security researchers, John Høegh-Omdal, Caner Kaya, and Markus Ottensmann at Norwegian app-security provider Promon. The bug is basically is a privilege escalation flaw in the Android subsystem which allows any potential hacker to gain root access and push malware to the Android smartphone.
Strandhogg 2.0 is a critical privilege-escalation vulnerability and has a CVE identifier CVE-2020-0096. It affects all Android smartphones, Android tablets, and Android smart TVs running on the Android Pie or below versions. It allows attackers to hijack any app on an infected phone – potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations, and more.
Strandhogg 2.0 is related to Strandhogg 1.0 and named from an old Norse term for the Viking tactic of plundering villages and holding people for ransom. The Norwegian researchers call it an “evil twin” to Strandhogg 1.0.
Strandhogg 1.0 vulnerability could be used by potential hackers to push “real-life malware to pose as legitimate apps, with users unaware they are being targeted,” according to a blog post.
The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims. Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.
Strandhogg 2.0 has many similarities to the old bug according to Norwegian security firm Promon, which discovered both vulnerabilities six months apart. Strandhogg 2.0 works by tricking a victim into thinking they’re entering their passwords on a legitimate app all the while entering their confidential information into a cloned malicious overlay. Like the earlier bug, Strandhogg 2.0 can also hijack other app permissions to siphon off sensitive user data, like contacts, photos, videos, and track a victim’s real-time location.
Strandhogg version 2.0 is deadlier than the earlier version and allows hackers to conduct a far wider range of attacks. The original StrandHogg allowed attacks via the TaskAffinity Android control setting while Strandhogg 2.0 allows exploits to be carried out through reflection and allows malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden. The Promon researchers have published a white paper explaining how the Strandhogg 2.0 works.
StrandHogg 2.0…has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time.
For Strandhogg 2.0 to work, potential hackers inject malicious app on the Android device which allows attackers to gain “access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.”.
Attackers can further hide their activities due to the fact that StrandHogg 2.0 requires root access or external configuration, and code obtained from Google Play will not initially appear suspicious to developers and security teams.
“As a result, the next time the app is invoked, for instance, by a user clicking its app icon, the Android OS will evaluate the existing tasks and find the task we created,” according to the white paper. “Because it looks genuine to the app, it will bring the task we created to the foreground and with it our attack will now be activated.”
Strandhogg 2.0 Proof of Concept (PoC)
The Promon researchers have published a proof-of-concept video of how an exploit would work:
Promon researchers did not find any evidence of attacks in the wild, but researchers theorize that it’s only a matter of time before they appear. Promon researchers said that they expect hackers to combine both the original StrandHogg bug and the new version together, in order to broaden their attack surface:
Strandhogg 2.0 affects Android smartphones, Tablets and Smart TVs with Android v 9.0 (Pie) and below
The researchers have found that the bug doesn’t affect the current Android 10 (Android Q) while Google has issued a security patch to mitigate Strandhogg 2.0 on Android 9.0, Android 8.1, and Android 8. However, considering how Android smartphone manufacturers are lethargic to passing on the security patches to the end-users, nearly all Android smartphones, Smart TVs, and tablets could be affected except for Google Pixel and other smartphone brands that get direct security fix from Google.
To give you an idea of the smartphones, tablets and smart TVs vulnerable to the Strandhogg 2.0 attacks, as of April 2020, 91.8 percent of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011). That makes up nearly a billion smartphones and Android devices that are vulnerable to this attack.