Google has patched a critical vulnerability, resembling 2019’s infamous StrandHogg flaw, that allows hackers to hijack almost any app on the Android mobile operating system.
The flaw, assigned CVE-2020-0096, has been dubbed StrandHogg 2.0 due to the similarities with the original flaw discovered in December. The successor allows for broader attacks and is far more difficult to detect, rendering it, in effect, an “evil twin”, according to Promon researchers.
The original StrandHogg exploited the Android control setting ‘TaskAffinity’ which hijacks Android’s multitasking feature and therefore left traceable markers. The newer iteration is executed through reflection, which means malicious apps can assume the identity of legitimate apps while remaining completely hidden.
Once a malicious app is installed on a device, hackers can gain access to private SMS messages and photos, track GPS movements, steal login credentials, make or record phone conversations, and spy through a phone’s camera and microphone.
“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” said Promon founder and CTO Tom Lysemose Hansen.
“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”
While StrandHogg can only attack apps one at a time, the recently-discovered version attacks nearly any app on a given device simultaneously, the researchers found. Strandhogg 2.0 also doesn’t require root access or permissions from the device to be executed.
By exploiting the flaw, a malicious app installed on a device can trick the user so that when an app icon of a legitimate app is selected, the malicious version is instead shown on the display. If victims input login credentials, those are immediately sent to the attacker, who can access and control security-sensitive apps.
RELATED RESOURCE
Introducing VMDR: Vulnerability Management, Detection and Response
The all-in-one vulnerability management service
StrandHogg 2.0 is also more difficult to detect because, unlike in the original flaw, attackers don’t need to explicitly enter the apps they are targeting into the Android Manifest, which becomes visible within an XML file, which shows a declaration of permissions. Malware exploiting StrandHogg 2.0 will also be harder for antivirus software to detect.
Exploits don’t impact devices running the Android 10 operating system, although a significant portion of Android users still run older versions of the OS, meaning a large swathe of the public is at risk. Figures from Google show that 91.8% of Android users are on version 9.0 or earlier.
Promon was notified of the vulnerability in early December last year and rolled out a patch to the Android ecosystem partners in April 2020. A security patch for Android versions 8.0, 8.1 and 9 are set to be rolled out this month.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
