StrandHogg 2.0 a new level of Android Apps Hijacking
After discovering StrandHogg 1.0, Promon our technology partner has discovered a more dangerous Android Vulnerability, With attacks more difficult to detect than the predecessor.
Promon analysts have found out a new vulnerability in Android that allows hackers to access almost all apps. Classified ‘critical severity’ (CVE-2020-0096) by Google, the powerlessness has been named StrandHogg 2.0 by Promon as it has many similarities with the StrandHogg vulnerability that was previously discovered by Promon in 2019.
StrandHogg 2.0 doesn’t abuse the Android control setting ‘TaskAffinity’, which captures Android’s multitasking feature and, as a result, leaves behind traceable markers, that makes it much more difficult to detect!
Instead, Strandhogg 2.0 is executed through reflection, allowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden. Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.
StrandHogg 2.0, is more advanced than Strandhogg 1.0 which had the ability to attack apps only once, however, StandHogg 2.0 has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button without requiring root access or any permissions from the device in order to be executed. It is also extremely dangerous because it enables sophisticated attacks, even on unrooted devices.
How does StrandHogg 2.0 work?
By exploiting the previous vulnerabilities, a malicious app installed on a device can attack and trick the user so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen.
In case the victim uses his/her login credentials through this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps.
StrandHogg 2.0 is code-based
StrandHogg 2.0 is also much more difficult to detect because of its code-based execution.
Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed.
This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.
As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams.
Malware that exploits StrandHogg 2.0 will also be harder for anti-virus and security scanners to detect and, as such, poses a significant danger to the end-user.
Promon predicts that attackers will look to utilize both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible. Likewise, many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa.
StrandHogg 2.0 exploits do not impact devices running Android 10. However with a significant proportion of Android users reported to still be running older versions of the OS, a large percentage of the global population is still at risk.
According to data from Google, as of April 2020, 91.8% of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011).
Read more about Trustsec In-app protection solution