A Norwegian security research team that identified the dangerous StrandHogg elevation of privilege vulnerability affecting Android smartphone devices last year has warned of a new variant in circulation that has the potential to do much more harm.
StrandHogg first came to widespread attention in early December 2019. The vulnerability enables malware to pass itself off as a legitimate app, giving hackers the ability to access data held on a device, including text messages, photos, credentials and geolocation, as well as recording phone calls and activating cameras and microphones.
The new variant, dubbed StrandHogg 2.0 – but which will more formally go by CVE-2020-0096 – was again uncovered by Oslo-based Promon, a supplier of app security services, and is described by the company as its predecessor’s “evil twin”. While Android 10 (Q) is not affected, multiple versions counting backwards from Android 9 (Pie), which account for the bulk of the global installed base, are.
Promon’s chief technology officer (CTO) and founder, Tom Lysemose Hansen, said StrandHogg 2.0 was similar to StrandHogg in the sense that it allows attackers to access personally identifiable information (PII), but because it enables hackers to hijack nearly any app present on a device, it could lead to much broader attacks and become much harder to detect.
“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together, they become a powerful attack tool for malicious actors,” he said.
“Android users should update their devices to the latest firmware as soon as possible to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place to mitigate the risks of attacks in the wild.”
Tom Lysemose Hansen, Promon
Version one of StrandHogg exploited the TaskAffinity Android control setting to hijack the operating system’s multitasking feature, which left behind traceable markers, but version two is executed through reflection, letting malicious apps assume the identity of legitimate ones while staying hidden. StrandHogg 2.0 can also dynamically attack nearly every app on its target device at once, whereas its twin could only attack apps one at a time.
In terms of practical effects, a StrandHogg 2.0 victim would be tricked by a malicious app so that when they click the app icon of a legitimate one, a malicious version is instead displayed, stealing any credentials used to log in and sending them to the attacker, who can then log into and control security-sensitive apps.
Promon said it was likely that attackers would look to use both versions of StrandHogg together, maximising their potential to compromise targets.
“We remain in constructive dialogue with Google, which has acknowledged the severity of StrandHogg 2.0 and is set to roll out a fix to the general public in May, in addition to its own report of the vulnerability,” said Promon CEO Gustaf Sahlman.
Boris Cipot, senior security engineer at Synopsys, said: “It’s promising to see that Google has reacted so quickly here, implementing a system through which to screen applications for unwanted behaviour and then blocking apps attempting to exploit this vulnerability.
“It’s worth noting that StrandHogg 2.0 is dangerous for two reasons: the way in which it ends up on your mobile device and the way in which it harvests rights and access data. The malware can be installed by so-called dropper apps, also known as hostile downloaders, that are distributed through Google Play.
“Android device users need to be cautious of the apps they choose to install. Even as Google works to protect users, malicious apps will still likely slide past their screening process on occasion. One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation.”
Sam Bakken, senior product marketing manager at OneSpan, said: “While the potential for damage is pretty clear, there are steps app developers can take to protect apps and users against threats such as these.
“Android users should update their device to the latest version of Android. Unfortunately, depending on the device manufacturer and a user’s service provider or carrier, that may not be possible. This is why app developers, and especially developers of mobile financial services apps, need to take note.
“This latest vulnerability serves as a reminder that there’s no reliable way to know the precise security status of mobile devices on which your mobile app operates,” he warned. “Developers have no real way of knowing whether a user’s device is riddled with vulnerabilities or compromised with malware or not. This is why advanced security such as app shielding and runtime protection that travels with the app to defend it even in hostile conditions is crucial to a complete, layered approach to mobile app security.”