Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices

Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.

Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.

In December 2019, Promon warned that an Android vulnerability, which it dubbed StrandHogg, was being exploited by tens of malicious Android apps to escalate privileges.

StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to plunder and hold people for ransom, exploits a weakness in Android’s multitasking system. It allows a malicious application with limited permissions to pose as a legitimate app in an effort to obtain elevated privileges, enabling attackers to spy on users and access data stored on the device.

Promon now says it has identified another similar vulnerability, which it has named StrandHogg 2.0 and described as StrandHogg’s “evil twin.”StrandHogg 2.0 Android vulnerability CVE-2020-0096

Just like the original vulnerability, StrandHogg 2.0 can be exploited to hijack apps, but the company warns that “it allows for broader attacks and is much more difficult to detect.”

Malware exploiting StrandHogg 2.0 does not require any permissions and the victim only needs to execute the malicious app to trigger the exploit. If exploitation is successful, the attacker can abuse the hijacked application to obtain the privileges needed to read SMS messages, steal files, phish login credentials, track the device’s location, make or record phone calls, and spy on the user through the phone’s microphone and camera.

According to Promon, StrandHogg 2.0 can target multiple apps simultaneously, and it’s more difficult to detect.

“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” Promon explained in a blog post. “This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.”

“As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams,” the company added.

Google was informed about the vulnerability on December 4, 2019, and patched it with its May 2020 Android security updates. The tech giant assigned it CVE-2020-0096 and described it as a critical elevation of privilege issue.

In the case of the original StrandHogg, Google focused on detecting and blocking malicious apps exploiting the vulnerability rather than releasing a patch for Android.

Promon says StrandHogg 2.0 does not affect Android 10, but the company notes that roughly 90 percent of Android devices currently run older versions of the mobile operating system.

The security firm says it’s not aware of any malware exploiting the new vulnerability, but it expects hackers to leverage StrandHogg and StrandHogg 2.0 together “because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible.”

Related: Researchers Discover Hidden Behavior in Thousands of Android Apps

Related: New ‘EventBot’ Android Malware Targets Nearly 300 Financial Apps

Related: Android Phone Makers Improve Patching Practices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet