Promon researchers have discovered a new elevation of privilege vulnerability in Android that allows hackers to gain access to almost all apps.
Classified ‘critical severity’ (CVE-2020-0096) by Google, the vulnerability has been named StrandHogg 2.0 by Promon due to its similarities with the infamous StrandHogg vulnerability discovered by the company in 2019.
While StrandHogg 2.0 also enables hackers to hijack nearly any app, it allows for broader attacks and is much more difficult to detect, making it, in effect, its predecessor’s ‘evil twin’.
Having learned from StrandHogg and subsequently evolved, StrandHogg 2.0 doesn’t exploit the Android control setting ‘TaskAffinity’, which hijacks Android’s multitasking feature and, as a result, leaves behind traceable markers.
Download this report for more details and get the mitigation recommendations
Instead, Strandhogg 2.0 is executed through reflection, allowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden.
Using StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.
StrandHogg 2.0, being the more cunning twin, has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg, which can only attack apps one at a time.
As a result, StrandHogg 2.0 broadens its attack capabilities significantly! Like its predecessor, StrandHogg 2.0 doesn’t require root access or any permissions from the device to be executed.
Just like its relatively less evil twin, StrandHogg 2.0 is extremely dangerous because it enables sophisticated attacks, even on unrooted devices.
By exploiting this vulnerability, a malicious app installed on a device can attack and trick the user so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen.
If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to and control security-sensitive apps.
StrandHogg 2.0 is also much more difficult to detect because of its code-based execution.
Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file that contains a declaration of permissions, including what actions can be executed.
This declaration of required code, found within the Google Play store, is not the case when exploiting StrandHogg 2.0.
As no external configuration is required to execute StrandHogg 2.0, the hacker can further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams.
Malware that exploits StrandHogg 2.0 will also be harder for anti-virus and security scanners to detect and, as such, poses a significant danger to the end-user.
Promon predicts that attackers will look to utilize both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible.
Likewise, many mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa.
StrandHogg 2.0 exploits do not impact devices running Android 10. However, with a significant proportion of Android users reported to be still running older versions of the OS, a large percentage of the global population is still at risk.
According to data from Google, as of April 2020, 91.8% of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011).
Tom Lysemose Hansen, CTO and founder of Promon, comments: “We see StrandHogg 2.0 as StrandHogg’s even more evil twin.
They are similar in that hackers can exploit both vulnerabilities to access very personal information and services. Still, our extensive research shows that StrandHogg 2.0 enables hackers to attack much more broadly while being far more challenging to detect.
Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability, and the concern is that, when used together, it becomes a powerful attack tool for malicious actors.
Android users should update their devices to the latest firmware as soon as possible to protect themselves against attacks utilizing StrandHogg 2.0.
Similarly, app developers must ensure that all apps are distributed with the appropriate security measures to mitigate the risks of attacks in the wild.
Promon CEO Gustaf Sahlman adds: “We remain in constructive dialogue with Google, which has acknowledged the severity of StrandHogg 2.0 and is set to roll out a fix to the general public in May.
Promon has once again discovered a potentially catastrophic Android vulnerability, which, thanks to our researchers, will be fixed before hackers could use it to cause all sorts of distress for people and businesses around the world.”
Promon’s announcement of StrandHogg 2.0 was coordinated with Google, which was notified of the vulnerability on 4 December 2019, allowing more than reasonable time to release a fix.
Google, has rolled out a patch to Android ecosystem partners in April 2020, with a fix security patch (Android versions 8.0, 8.1, and 9) set to be rolled out to the general public in May 2020.
The vulnerability has been given the Common Vulnerability and Exposures (CVE) number CVE-2020-0096.