A malicious app installed on a device can hide behind legitimate apps.
A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone – potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.
The bug is dubbed the “StrandHogg 2.0” vulnerability (CVE-2020-0096) by the Promon researchers who found it, due to its similarity to the original StrandHogg bug discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.
However, Version 2.0 allows for a wider range of attacks. The main difference with the new bug is that exploits are carried out through reflection, “allowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden,” researchers explained, in a white paper published on Tuesday. The original StrandHogg allowed attacks via the TaskAffinity Android control setting.
“StrandHogg 2.0…has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,” according to the research.
Attackers would first inject the original launcher activity of the apps they are targeting with their own attack activity. The task will appear to be the original task belonging to the app; however, the attack activity that has been placed into the task is what the user will actually see when the task is activated.
“As a result, the next time the app is invoked, for instance, by a user clicking its app icon, the Android OS will evaluate the existing tasks and find the task we created,” according to the white paper. “Because it looks genuine to the app, it will bring the task we created to the foreground and with it our attack will now be activated.”
The Promon researchers have published a proof-of-concept video of how an exploit would work:
“Mobile apps practically have a target painted on their back. Promon’s recent malware vulnerability discovery dubbed “StrandHogg 2.0″ is the latest example of what dangerous malware could do if exploited in the wild – possibly exposing Android users’ mobile banking credentials and access one-time-passwords sent via SMS,” said Sam Bakken, senior product marketing manager at OneSpan, via email.
StrandHogg 2.0 attacks are also more difficult to detect, researchers wrote.
“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” they explained. “This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.”
Attackers can further hide their activities due to the fact that StrandHogg 2.0 requires root access or external configuration, and code obtained from Google Play will not initially appear suspicious to developers and security teams.
No attacks have thus been seen in the wild, but researchers theorize that it’s only a matter of time before they appear. Promon said that it expects threat actors to use both the original StrandHogg bug and the new version together, in order to broaden their attack surface: Many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa, Promon said.
“We see StrandHogg 2.0 as StrandHogg’s even more evil twin,” said Tom Lysemose Hansen, CTO at Promon. “Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors.”
Google has issued a patch for Android versions 9, 8.1 and 8, but users on earlier versions (representing 39.2 percent of Android devices, researchers said) will remain vulnerable. StrandHogg 2.0 exploits do not impact devices running Android 10, so users should update their devices to the latest firmware in order to protect themselves from attacks.
“With a significant proportion of Android users reported to still be running older versions of the OS, a large percentage of the global population is still at risk,” the researchers said.
In fact, according to data from Google, as of April 2020, 91.8 percent of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011).