StrandHogg 2.0 Bug Lets Malware Pose As A Real App And Steal User Data

Researchers at Norwegian security firm Promon have discovered a new elevation of privilege vulnerability in Android that allows hackers to gain access to almost all apps.ย 

This Android bug dubbed as โ€œStrandHogg 2.0โ€ (CVE-2020-0096) attacks a device by showing a fake interface, which tricks users to give away sensitive information that includes private SMS messages and photos, stealing of victimsโ€™ login credentials, tracking GPS movements, making and/or recording phone conversations, and spying through a phoneโ€™s camera and microphone.

Unlike the infamousย StrandHogg vulnerabilityย that allowed malicious apps to hijack Androidโ€™s multitasking feature and “freely assume any identity in the multitasking system they desireโ€, the new StrandHogg 2.0 flaw is an elevation of privilege vulnerability that enables malware to gain access to almost all Android apps.

“If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says.

However, unlike StrandHogg that can only attack apps one at a time, StrandHogg 2.0, being the more cunning twin, has learned how to, with the correct per-app tailored assets, โ€œdynamically attack nearly any app on a given device simultaneously at the touch of a buttonโ€. ย 

What makes it even worse is that StrandHogg 2.0 is โ€œnearly undetectableโ€ making it harder for anti-virus and security scanners to detect and, as such, pose a significant danger to the end-user.ย 

Promon predicts that attackers will look to utilise both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible.

Similarly, many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa.ย 

StrandHogg 2.0 exploits do not impact devices running Android 10. However, with a significant proportion of Android users reported to still be running older versions (Android 9.0 and below) leaves a large percentage (91.8% of Android active users) of the global population at risk.

The Promon researchers have published a video demo of StrandHogg 2.0 showing how the exploit would work:

 

Promon notified Google about the vulnerability on December 4, 2019, allowing Google to come up with a patch for the bug. The search giantย issued a patchย to Android ecosystem partners during April 2020 and for devices operating on Android 8.0, 8.1, and 9.0.ย ย 

Since, many OEMs do not always release these updates to keep their devices up to date, this puts millions of devices at risk.ย 

โ€œWe see StrandHogg 2.0 as StrandHoggโ€™s even more evil twin. They are similar in the sense that hackers can exploit both vulnerabilities in order to gain access to very personal information and services, but from our extensive research, we can see that StrandHogg 2.0 enables hackers to attack much more broadly while being far more difficult to detect,โ€ Tom Lysemose Hansen, CTO and founder of Promon said.

โ€œAttackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors.

โ€œAndroid users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with theย appropriate security measuresย in place in order to mitigate the risks of attacks in the wild.โ€

A spokesperson for Google has mentioned that the company did not find any evidence of the malware being actively exploited in the wild until today.

โ€œWe appreciate the work of the researchers, and have released a fix for the issue they identified,โ€ the Google spokesperson said.ย 

Further, Google Play Protect, an app screening service built-in to Android devices, will block the apps that try to exploit the StrandHogg 2.0 vulnerability.

Promon advises users to update their Android devices with the recently released security updates as soon as possible to fix the vulnerability.ย 

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Read More

Suggested Post