Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices

Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.

Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.

In December 2019, Promon warned that an Android vulnerability, which it dubbed StrandHogg, was being exploited by tens of malicious Android apps to escalate privileges.

StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to plunder and hold people for ransom, exploits a weakness in Android’s multitasking system. It allows a malicious application with limited permissions to pose as a legitimate app in an effort to obtain elevated privileges, enabling attackers to spy on users and access data stored on the device.

Promon now says it has identified another similar vulnerability, which it has named StrandHogg 2.0 and described as StrandHogg’s “evil twin.”StrandHogg 2.0 Android vulnerability CVE-2020-0096

Just like the original vulnerability, StrandHogg 2.0 can be exploited to hijack apps, but the company warns that “it allows for broader attacks and is much more difficult to detect.”

Malware exploiting StrandHogg 2.0 does not require any permissions and the victim only needs to execute the malicious app to trigger the exploit. If exploitation is successful, the attacker can abuse the hijacked application to obtain the privileges needed to read SMS messages, steal files, phish login credentials, track the device’s location, make or record phone calls, and spy on the user through the phone’s microphone and camera.

According to Promon, StrandHogg 2.0 can target multiple apps simultaneously, and it’s more difficult to detect.

“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” Promon explained in a blog post. “This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.”

“As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams,” the company added.

Advertisement. Scroll to continue reading.

Google was informed about the vulnerability on December 4, 2019, and patched it with its May 2020 Android security updates. The tech giant assigned it CVE-2020-0096 and described it as a critical elevation of privilege issue.

In the case of the original StrandHogg, Google focused on detecting and blocking malicious apps exploiting the vulnerability rather than releasing a patch for Android.

Promon says StrandHogg 2.0 does not affect Android 10, but the company notes that roughly 90 percent of Android devices currently run older versions of the mobile operating system.

The security firm says it’s not aware of any malware exploiting the new vulnerability, but it expects hackers to leverage StrandHogg and StrandHogg 2.0 together “because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible.”

Related: Researchers Discover Hidden Behavior in Thousands of Android Apps

Related: New ‘EventBot’ Android Malware Targets Nearly 300 Financial Apps

Related: Android Phone Makers Improve Patching Practices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.