StrandHogg is Back. More Unpleasant, Nearly Undetectable.
A critical Android OS vulnerability is back. StrandHogg 2.0 poses a threat to end users by allowing attackers to perform overlay attacks or request additional permissions while being perfectly hidden in the background. Luckily, the OS patch was already rolled out for devices with Android 8, so having the OS and apps up to date will help you to stay protected.
Our Nordic technology partner company Promon recently detected a new version of the StrandHogg vulnerability in Android OS. The new vulnerability, dubbed StrandHogg 2.0 (CVE-2020–0096), enables to intrude end-users’ devices in an easier and more sophisticated way than its predecessor. Unlike the first version that we helped to identify, StrandHogg 2.0 doesn’t require a declaration in an Android manifest file, any special permissions, or root access.
Promon illustrates the issue on their web, in a video with a proof of concept:
The attacker may use the StrandHogg 2.0 vulnerability to achieve several tasks. For example, to request specific permissions on behalf of some legitimate app:
Even worse, the attacker may use a fake overlay screen to directly steal the user credentials, for example, for online banking:
A Fully Dynamic Attack, Nearly Undetectable
The ability to perform an attack only with code and no obvious or suspicious configuration makes StrandHogg 2.0 even more unpleasant than the first version. Unlike with StrandHogg 1.0, the attackers do not need to list all targeted apps in the Android manifest file. Also, the attacker does not need to request any suspicious permissions from the user. It is even possible to download the code and execute the attack itself later using reflection, without a need for the malicious app update. This results in a fully dynamic attack that is extremely difficult to detect.
The principle of the weakness is hidden in the way Android OS launches new activities, namely in an issue with starting a collection of activities.
Promon informed Google about the vulnerability already, and Google recently released a patch to the Android ecosystem. Hopefully, the mobile devices of end-users will soon obtain an update to an Android OS version that is safe to use through the device vendor update.
