Bug in Android, StrandHogg 2.0

Experts have found a major vulnerability that affects all devices running on Android 9.0 and earlier. Let us see what this vulnerability is all about and its impact on the end-users.

StrandHogg 2.0 helps to hijack the identity of any legitimate app. According to a survey, almost 70% of android devices are exposed to this vulnerability. Although Android 10, 9, and 8 with a security patch from May 2020 are not affected, this includes only 30% of the android users.

Description:

Strandhogg 2.0 exploits (CVE-2020-0096) the behavior of the android system. Let us take a scenario where you clicked on a link received via the Gmail app. Pressing the recent app button will show the preview of the webpage, but the name and app icon will be that of Gmail. Even Google Play Protect fails in containing this bug. StrandHogg 2.0 does not need any Android permissions to run, but it can hijack the permissions of other apps that have an access to a victim’s contacts, photos, and messages by triggering a permissions request. 

Impact:

StrandHogg 2.0 hijacks the app’s Context.startActivities() API method, thus potentially exposing private SMS messages, photos, login credentials, GPS movements, phone conversations, and more. The bug is almost undetectable as there is no prominent way to detect it. Once the permission is granted, the malicious app can start uploading the user’s data that can even lead to a 2-factor authentication bypass.

The risk of this vulnerability is low, but the severity is very high.

Attack Scenario:

1. Assuming that the StrandHogg malicious app is installed and running on the victim’s mobile device.
2. A pop-up asks for specific permission when a user starts using the Gmail app. Here is where the user gets into the phishing hook.
3. The victim will never get to know that the permissions he/she gives are actually for the malicious application and not for the Gmail app.
4. As soon as he/she grants the permissions, the Gmail app starts functioning normally and the data privacy of the victim will be compromised after a successful attack.

Figure 1: A Typical attack flow of StrandHogg 2.0

Mitigation:

As the fix for this bug is a part of the core Android operating system, Android users are dependent on the manufacturer and their service providers who are not that paranoid about the user’s privacy and security. Some users however might not timely update their android operating system, thus, the app developers and especially developers of mobile financial services apps need to take extra care.