Android ‘StrandHogg 2.0’ flaw lets malware assume identity of any app

Researchers have publicised a critical security flaw in Android which could be used by attackers to “assume the identity” of legitimate apps in order to carry out on-device phishing attacks.

Discovered by Norwegian company Promon, the bug is called ‘StrandHogg 2.0’, the name denoting that this is an “evil twin” follow up to a similar flaw of the same name made public by the company last year.

Strandhogg is, apparently, the old Norse word for the Viking tactic of sailing up to coastal towns and plundering them, which isn’t a bad description of what the bug might be capable of if it were used in a real attack.

Promon doesn’t delve into the inner workings of the flaw in huge detail but malware exploiting it would be able to overlay a malicious version of any app over the real app, capturing all logins as they are entered by an oblivious user.

Users tap on the icon of the correct app and think they are logging into their email, say, when in fact they are really logging into an interface controlled by an attacker.

Attackers need to know which apps they are targeting in advance but can phish multiple apps in one attack without the need for rooting, admin privileges or special permissions, Promon said.

Promon claims the code used in the attack would be obfuscated enough that it could slip past Google Play’s security layers as well as on-device security apps, making it hard to detect.

Because this attack is so hard to spot, and can steal almost anything on a device (GPS data, images, logins, SMS messages and emails, phone logs, etc.) there’s a chance it might be interesting to nation state hackers as well as criminals out for profit.

Promon predicts that attackers will look to utilise both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways.

Who is affected?

Anyone running Android versions 9.0 or earlier – the only Android version not affected by Strandhogg 2.0 is version 10, currently installed on only a small proportion of smartphones.

Reported to Google last December, the company patched what is now identified as CVE-2020-0096 in the recent May Android update.

It’s not clear how effective mitigations might be which puts a premium on patching this flaw. Unfortunately, the only smartphones that have definitely received this are Google’s own Pixel devices.

If your Android smartphone is made by a third party, patches for Android 8 and 9 could turn up any time from now to several months down the line (potentially vulnerable versions before 8 and 9 no longer receive patches at all).

Users can check their update status via Settings > About phone and looking for the month mentioned in the patch level (May 2020 being the latest). From version 10, the same information is found under Settings > Security.

More likely, the last patch will be anything from two to six months ago. The good news is that, unlike StrandHogg 1.0, there’s no evidence hackers have ever discovered or exploited this weakness.

The risk posed by this right now is probably low. What its existence emphasises is the urgency of improving the patching of Android devices, including the tricky and still-to-be-solved issue of what happens when non-Google devices stop receiving updates after two years.

Currently, nobody knows, a flawed approach whose long-term risks grow larger with every passing Android version.

Note: The small number of Android models using the stock Android One platform (Nokia’s 7.2, Motorola’s One Vision and a few others) receive two years of feature updates but three years of security updates.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.