By Davey Winder for Forbes
At the start of May, I reported on a critical security vulnerability that could impact every Samsung Galaxy smartphone sold from late 2014 onwards. That zero-click bug scored a perfect 10 on the vulnerability severity scale. The good news was that it had been patched in the Samsung May 2020 security update. Just as Android users were recovering from that security shocker, and some have yet to get that update on their devices, it should be noted, along comes one more.
This time it’s in the form of another critical vulnerability, but rather than applying to Samsung devices only, it’s an issue that exists in almost every version of Android. Only users of Android 10 need have no concern here, all other versions of Android, however, are potentially affected. Given that, in April, Android 10 only accounted for around 16% of users, and Google itself says there are at least 2 billion Android users out there, that’s north of 1 billion Android devices potentially at risk.
The risk being that, if exploited by an attacker, this vulnerability could lead to an elevation of privilege and give that hacker access to bank accounts, cameras, photos, messages and login credentials, according to the researchers who uncovered it. What’s more, it could do this by assuming “the identity of legitimate apps while also remaining completely hidden.”
What is StrandHogg 2.0?
Researchers at a Norwegian security company called Promon discovered CVE-2020-0096, which they called StrandHogg 2.0: the more cunning “evil twin” to the original Android StrandHogg vulnerability it also found last year. “While StrandHogg 2.0 also enables hackers to hijack nearly any app,” the researchers said, “it allows for broader attacks and is much more difficult to detect.”
Rather than exploit the same TaskAffinity control setting as the original StrandHogg vulnerability, StrandHogg 2.0 doesn’t leave behind any markers that can be traced. Instead, it uses a process of “reflection,” which allows it to impersonate a legitimate app by using an overlay into which the user actually enters credentials. But that’s not all; it also remains entirely hidden in the background while hijacking legitimate app permissions to gain access to SMS messages, photos, phone conversations, and even track GPS location details. Using the “correct per-app tailored assets,” the Promon researchers said, StrandHogg 2.0 can “dynamically attack nearly any app on a given device simultaneously at the touch of a button.”
Stealthier than your average StrandHogg
Detection would also appear to be more complicated than the previous StrandHogg vulnerability. “No external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack,” the researchers said, “as code obtained from Google Play will not initially appear suspicious to developers and security teams.”
However, Google told TechCrunch, which broke the StrandHogg 2.0 news, that it had not seen any evidence of the vulnerability being exploited to date. I reached out to Google and a spokesperson told me: “We appreciate the work of the researchers, and have released a fix for the issue they identified. Additionally, Google Play Protect detects and blocks malicious apps, including ones using this technique.” The latter being important as exploitation of the vulnerability requires the device to already be infected by a malicious app.
How can you mitigate this critical Android vulnerability?
It’s not all bad news for Android users, though. Those with devices running Android 10 are not impacted. There’s more good news for those of you who are, however, running Andorid 9 or earlier, as Google included a patch for CVE-2020-0096 in the May 2020 Android security update. It was described there as a critical vulnerability that could enable a local attacker to use a specially crafted file to execute arbitrary code within the context of a privileged process. The usual fractured ecosystem warnings from me have to be flagged up at this point: many users will not see that update rolling out to them immediately, and some may never see it at all if they have an older unsupported device.
Tod Beardsley, research director at Rapid7, said that “since the fix for this bug is part of the core Android operating system, Android users are once again at the mercy of their handset manufacturers and their service providers, who are often slow to act when it comes to distributing security patches. People who are worried about this bug in particular should keep a close eye on when the fix for CVE-2020-0096 hits their particular distribution.”
“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability, and the concern is that when used together, it becomes a powerful attack tool for malicious actors,” Tom Lysemose Hansen, Promon CTO and founder, said. He recommends Android users update to the latest firmware as soon as they can, and advises app developers to “ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”
“Android device users need to be cautious of the apps they choose to install. Even as Google works to protect their users, malicious apps will still likely slide past their screening process on occasion,” Boris Cipot, a senior security engineer at Synopsys, said. “One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation,” Cipot concluded.
Promon has issued a disclosure timeline, which shows it notified Google of the vulnerability on December 4, 2019, and an ecosystem partner patch was rolled out in April 2020 before the public fix within the latest Android security updates for users.