StrandHogg 2.0 Android flaw affects over 1 Billion devices

Researchers disclosed a new critical vulnerability (CVE-2020-0096, aka StrandHogg 2.0) affecting the Android operating system that could allow attackers to carry out a sophisticated version of Strandhogg attack.

A group of Norwegian researchers disclosed a critical flaw, tracked as CVE-2020-0096, affecting Android OS that could allow attackers to carry out a sophisticated version of the Strandhogg attack.

In December, security experts atPromon disclosed a vulnerability, dubbed StrandHogg, that has been exploited by tens of malicious Android apps.

The name StrandHogg comes from an old Norse term that refers to a tactic adopted by the Vikings that consists of raiding coastal areas to plunder and hold people for ransom.

The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to harvest elevated permissions from the victims.

A rogue Android app could use the StrandHogg tactic to trick the user into granting it the permissions to control the devices.

The permissions granted to the app could allow spying on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations.

The same team of Norwegian researchers that discovered the Strandhogg now reported the CVE-2020-0096 flaw and called Strandhogg 2.0. The ‘Strandhogg 2.0,’ vulnerability affects all Android devices, except those running Android Q/10, this means that 80%-85% Android devices are exposed to hack.

The Strandhogg 2.0 flaw is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices.

StrandHogg 1.0 could be used to attack apps one at a time, StrandHogg 2.0 allow attackers “dynamically attack nearly any app on a given device simultaneously at the touch of a button,” all without requiring a pre-configuration for each targeted app.

Android Flaw

“If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says.

“Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.”

Targeted users could not spot the StrandHogg attack, which can be exploited without root access and works on all versions of Android.

The new flaw can be used for various types of phishing attack, such as displaying a fake login screen, gathering different types of sensitive information, denial of service, and/or collecting permissions
under the guise of the target app (such as SMS, GPS positioning and more).

Experts reported the flaw to Google in December, the tech giant released a security patch to manufacturing companies in April 2020, that are going to release security updates to their devices.

Below the PoC video released by the experts:

Pierluigi Paganini

May 28, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...