Security Experts:

StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices

Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.

In December 2019, Promon warned that an Android vulnerability, which it dubbed StrandHogg, was being exploited by tens of malicious Android apps to escalate privileges.

StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to plunder and hold people for ransom, exploits a weakness in Android’s multitasking system. It allows a malicious application with limited permissions to pose as a legitimate app in an effort to obtain elevated privileges, enabling attackers to spy on users and access data stored on the device.

Promon now says it has identified another similar vulnerability, which it has named StrandHogg 2.0 and described as StrandHogg’s “evil twin.”StrandHogg 2.0 Android vulnerability CVE-2020-0096

Just like the original vulnerability, StrandHogg 2.0 can be exploited to hijack apps, but the company warns that “it allows for broader attacks and is much more difficult to detect.”

Malware exploiting StrandHogg 2.0 does not require any permissions and the victim only needs to execute the malicious app to trigger the exploit. If exploitation is successful, the attacker can abuse the hijacked application to obtain the privileges needed to read SMS messages, steal files, phish login credentials, track the device’s location, make or record phone calls, and spy on the user through the phone’s microphone and camera.

According to Promon, StrandHogg 2.0 can target multiple apps simultaneously, and it’s more difficult to detect.

“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” Promon explained in a blog post. “This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.”

“As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams,” the company added.

Google was informed about the vulnerability on December 4, 2019, and patched it with its May 2020 Android security updates. The tech giant assigned it CVE-2020-0096 and described it as a critical elevation of privilege issue.

In the case of the original StrandHogg, Google focused on detecting and blocking malicious apps exploiting the vulnerability rather than releasing a patch for Android.

Promon says StrandHogg 2.0 does not affect Android 10, but the company notes that roughly 90 percent of Android devices currently run older versions of the mobile operating system.

The security firm says it’s not aware of any malware exploiting the new vulnerability, but it expects hackers to leverage StrandHogg and StrandHogg 2.0 together “because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible.”

Related: Researchers Discover Hidden Behavior in Thousands of Android Apps

Related: New 'EventBot' Android Malware Targets Nearly 300 Financial Apps

Related: Android Phone Makers Improve Patching Practices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.