Security researchers have spotted a new elevation of privilege vulnerability in Android that allows hackers to gain access to almost all apps.
According to a blog post by Promon, the bug has been named StrandHogg 2.0 as it bears many similarities to the StrandHogg vulnerability discovered by the company in 2019.
The flaw allows hackers to hijack nearly any app. In addition, it enables broader attacks and is much more difficult to detect, making it, in effect, its predecessor’s ‘evil twin’, according to the firm.
StrandHogg 2.0 (CVE-2020-0096) is described as Critical Severity as it enables malicious apps to pretend to be legitimate apps while also remaining completely hidden.
“Utilising StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone,” said researchers.
Researchers added that the hack has per-app tailored assets that allows it to attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time.
“As a result, StrandHogg 2.0 broadens its attack capabilities significantly! Like its predecessor, StrandHogg 2.0 does not require root access or any permissions from the device in order to be executed. Just like its relatively less evil twin, StrandHogg 2.0 is extremely dangerous because it enables sophisticated attacks, even on unrooted devices,” researchers said.
Sam Bakken, senior product marketing manager at OneSpan, told SC Media UK that this latest vulnerability serves as a reminder that there is no reliable way to know the precise security status of mobile devices on which your mobile app operates.
“Developers have no real way of knowing whether a user’s device is riddled with vulnerabilities or compromised with malware or not. This is why advanced security such as app shielding and runtime protection that travels with the app to defend it even in hostile conditions is crucial to a complete, layered approach to mobile app security,” he said.
Boris Cipot, senior security engineer at Synopsys, told SC Media UK that It’s worth noting that Strandhogg 2.0 is dangerous for two reasons: the way in which it ends up on your mobile device and the way in which it harvests rights and access data.
“The malware can be installed by so-called “dropper apps,” also known as hostile downloaders, that are distributed through Google Play,” he said.
“Android device users need to be cautious of the apps they choose to install. Even as Google works to protect their users, malicious apps will still likely slide past their screening process on occasion. One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation.”