A recently discovered Android vulnerability allows malicious actors to take over legitimate apps to steal user data and gain access to a victim’s smartphone features.
The flaw was picked up by Norwegian security firm Promon and is called StrandHogg 2.0, the “evil twin” of a similar vulnerability identified in 2019.
The first StrandHogg exploit used Android’s multitasking feature taskAffinity to hijack real apps when an attacker’s crafted malware app is installed on a user’s device.
Ars Technica explained it did this by setting the taskAffinity of the malicious app’s activities to match the packageName of any other app.
When a user then opens a legitimate app such as Facebook or Gmail on a compromised device, the imposter app would be launched instead.
The app then reflects an identical login page and when the user inputs their details, the information is sent to the attacker.
The original StrandHogg vulnerability had one major weakness, however. It required taskAffinity to be declared in the Android Manifest, an XML file which is included in the installation package hosted on the Play Store.
Google was therefore able to scan and easily locate apps with suspicious taskAffinity descriptions and remove these from the store.
The new flaw no longer makes use of taskAffinity, with the attacker being able to download and deploy the code to a user’s device after the malicious app has been installed.
“By exploiting this vulnerability, a malicious app installed on a device can attack and trick the user so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen,” Promon explained.
If a victim then inputs their credentials on what appears to be a legitimate login page – such as a Google or Facebook account – the details are immediately sent to the attacker.
Additionally, users can be tricked into thinking they are granting access to certain permissions to the trusted app.
For example, opening the real camera might pop up a prompt to give it permission to use a smartphone’s camera and microphone. When the user allows this, the permission is actually being granted to the attacker’s app.
“Attackers will be able to gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone”, Promon explained.
In a proof of concept video, Promon illustrated how legitimate apps – including Facebook, Gmail, Camera, and Texts – can be hijacked.
Over 90% of Android users affected
Promon noted the flaw affected all versions of the OS before Android 10.
According to data from Google, as of April 2020, 91.8% of Android active users worldwide are on version 9.0 or earlier.
Promon notified Google of the flaw in December 2019 in order to provide the company with reasonable time to release a patch before revealing it to the public.
Google labeled the StrandHogg 2.0 flaw as “Common Vulnerability and Exposures number CVE-2020-0096” and classified it as of “critical severity”.
It rolled out a patch to Android ecosystem partners in April 2020 and a security update to the general public in May. Its availability on individual devices will depend upon OEM rollouts, however.
Below is an illustration of how the StrandHogg 2.0 attack is carried out.