The vulnerability resembles the StrandHogg flaw, revealed last year, but is even more sophisticated.
Dubbed StrandHogg 2.0 and also known as CVE-2020-0096, the vulnerability affects all Android devices, except those running the most recent Android version, Android Q/10. The bad news is that the latest version is used by a small percentage of all Android devices – 15 to 20%. This means that billons of Android devices are exposed to the sophisticated StrandHogg 2.0 attack.
Strandhogg 2.0 Explained
First of all, this is an elevation of privilege vulnerability, which was discovered by Promon researchers. The flaw could allow threat actors to gain access to nearly all apps on an Android device.
According to the official report, the flaw has been classified ‘critical severity’ (CVE-2020-0096) by Google. Due to the similarities with the StrandHogg vulnerability discovered by the same researchers in 2019, the bug has been dubbed StrandHogg 2.0.
“While StrandHogg 2.0 also enables hackers to hijack nearly any app, it allows for broader attacks and is much more difficult to detect, making it, in effect, its predecessor’s ‘evil twin’,” the researchers said.
How is Strandhogg 2.0 the attack executed?
Strandhogg 2.0 is carried out through reflection, thus allowing malicious apps to freely take over the identity of legitimate apps while also remaining completely hidden.
Once a malicious app is installed, the vulnerability enables attackers to perform various malicious actions, such as:
- gaining access to private SMS messages and photos;
- stealing the victim’s login credentials;
- tracking the victim’s GPS movements;
- making or recording phone conversations;
- using the device’s camera and microphone to spy on the victim.
Needless to say, StrandHogg 2.0 is much worse than its twin, as it is capable of dynamically attacking almost any app simultaneously at the touch of a button. In comparison, the first vulnerability could enable attacks where only one app was attacked at a time. This new capability makes the second version of the flaw much more dangerous – no root access is required for the attack to happen, nor are any permissions from the device.
“By exploiting this vulnerability, a malicious app installed on a device can attack and trick the user so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen,” Promon researchers explained.
What happens next? If the user types in their login credentials on the malicious app’s interface, the details will be immediately sent to the attackers. Having access to such details enables attacks to carry out further malicious activities.
However, what makes StrandHogg 2.0 so threatening is that it is much more difficult to detect due to its code-based execution.
Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed. This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0, the report clarified.
What does this mean? The hacker can further obfuscate the attack, as no external configuration is needed to execute this attack. This is possible because code taken from Google Play is not flagged as suspicious by developers and security researchers.
In addition, this also means that Android malware exploiting the StrandHogg 2.0 flaw will also be more difficult to detect by security and anti-virus scanners, making the end user more vulnerable.
Promon researchers believe that attackers will be using the two vulnerabilities together, thus ensuring a broader target area.
What about the mitigations? Unfortunately, the mitigations against StrandHogg will not work against StrandHogg 2.0, and vice versa. Fortunately, devices running the latest version of Android are not prone to the attack but their number is too small. According to the latest Google statistics up to April 2020, 91.8% of Android active users worldwide are on version 9.0 or earlier.
Google was notified about the vulnerability in December 2019. Google has already rolled out a patch to the Android ecosystem partners last month. a fix security patch for Android versions 8.0, 8.1, and 9 is set to be rolled out to the general public in May 2020, Promon added.