Bug in Android, StrandHogg 2.0

Security researchers have found a major vulnerability that affects all devices running Android 9.0 and earlier. Let us see what this vulnerability is all about and its impact on the end-users.

StrandHogg 2.0 helps to hijack the identity of any legitimate app. According to the survey, almost 70% of the android devices are exposed to this vulnerability. Although Android 10, 9, and 8 with a security patch of May 2020 are not affected and these are only 30% of the android users.

Description:

Strandhogg 2.0 exploits (CVE-2020-0096) the behavior of the android system. Let us take an example, you clicked on a link which you received on the Gmail app. Now, press the recent app button. The preview will show the webpage, but the app icon and name of the app will be of the Gmail. Even Google play protect fails it to have. StrandHogg 2.0 does not need any Android permissions to run, but it can hijack the permissions of other apps that have access to a victim’s contacts, photos, and messages by triggering a permissions request. 

Impact:

StrandHogg 2.0 hijacks app’s Context.startActivities() API method potentially exposing private SMS messages, photos, login credentials, GPS movements, phone conversations, and more. The bug is almost undetectable as there is no prominent way to detect it. Once the permission is granted, the malicious app can start uploading the user’s data that can even lead to a 2-factor authentication bypass.

The risk of this vulnerability is low, but the severity is very high.

Attack Scenario:

  1. Assuming the StrandHogg malicious app is installed and running on the victim’s mobile device.
  2. A pop up asks for specific permission when a user starts using the Gmail app. Here is where the user gets into the phishing hook.
  3. The victim will never get to know that the permissions he/she gives are actually for the malicious application and not for the Gmail app.
  4. As soon as he/she grants the permissions, the Gmail app starts functioning normally and the data privacy of the victim will be compromised after a successful attack.

Figure 1: A Typical attack flow of StrandHogg 2.0

Mitigation:

As the fix for this bug is a part of the core Android operating system, Android users are subservient on the manufacturer and their service providers who are not that much paranoid about the user’s privacy and security. The statement here “Android users should update their device to the latest version of Android.” does not apply to all users so, the app developers and especially developers of mobile financial services apps need to take extra care.

Author: Akshay Khandhadia

1 Comment

Leave a Reply