Last year, Android devices suffered cyber attacks after attackers exploited the StrandHogg vulnerability to steal banking data. Now, after a break of a few months, another vulnerability StrandHogg 2.0 has surfaced online. But this hasn’t caught the attention of criminal hackers yet.
StrandHogg 2.0 Android Vulnerability
Researchers from security firm Promon have discovered a new vulnerability targeting Android devices. Revealing the details on their website, researchers referred to this bug as StrandHogg 2.0 – an ‘evil twin’ of StrandHogg flaw disclosed in late 2019.
The vulnerability, CVE-2020-0096, is a critical severity bug that allows an attacker to transform an app into a malicious one. Basically, the attackers impersonate otherwise legit apps to trick users for installation.
However, this one works more smartly since it does not exploit the ‘TaskAffinity’ setting in Android, unlike StrandHogg. Since exploiting that setting would leave traceable markers, the ‘evil twin’ instead makes use of reflection.
In simple words, upon reaching the target device, the malicious app will remain hidden. When a user would click on a pre-installed otherwise legit app, the malicious app will popup masquerading as the legit one without the user knowing.
Hence, unknowingly, the victim will grant all permissions to the malicious app. After that, the victim is redirected to the legit app, whereas the attacker gains all permissions
The following image shows an example where a malicious app may impersonate a COVID-19 contact tracing app.
Likewise, the malicious app may also steal banking credentials if the victim opens up a banking app.
Difficult To Detect
The researchers explained that StrandHogg 2.0 is extremely dangerous since detecting the malicious app is nearly impossible. As elaborated,
Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed.
However, this declaration isn’t a requirement for StrandHogg 2.0.
As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams.
Similarly, the malware would also remain undetectable by security scanners and anti-malware solutions too.
The following video demonstrates the PoC exploit.
No Active Exploitation For Now
The researchers first reported the vulnerability to Google in December 2019. Fortunately, until the time of disclosure, Google has got enough time to work on a patch.
This critical elevation of privileges vulnerability does not precisely target Android 10. However, it does impact all older versions, including Android 9 and below. According to stats, these versions constitute nearly 91.8% of active Android users globally.
Although, researchers have found no active exploitation of StrandHogg 2.0. However, the vulnerability is quite dangerous and the attackers may exploit it together with its predecessor to wage broadscale attacks.
While Google no more supports older Android versions for security updates, it has rolled out fixes for Android 8.0, 8.1, and 9.0 in earlier May 2020. Users of these Android versions should hence ensure to have their devices updated with the latest patches.
Besides, all Android users should make sure not to download any app from an untrusted or unpopular developer, even from the Play Store.