StrandHogg 2.0 allows attackers to imitate most Android apps

Researchers at Norwegian mobile security firm Promon discovered a new elevation-of-privilege vulnerability on Android allows threat actors to gain access to most apps.

The vulnerability, named StrandHogg 2.0 after the StrandHogg vulnerability discovered in 2019 by Promon, "allows for broader attacks and is much more difficult to detect, making it, in effect, its predecessor's 'evil twin,'" according to Promon developer John Høegh-Omdal's report on the vulnerability. Specifically, threat actors can create malicious apps that assume the identity of legitimate apps and, once users click on the fake app, harvest login credentials, private data and other material from the device.

"I was looking into a publicly known mitigation for StrandHogg 1. I was trying to breach our own defense while also trying to compare the solution and also try to break it. I discovered that a method I had been using actually was a vulnerability in itself. So I discovered I could break this mitigation with another vulnerability and that is what eventually turned into StrandHogg 2.0," Høegh-Omdal told SearchSecurity.

StrandHogg 2.0 has been classified as "critical severity" (CVE-2020-0096) by Google, which was notified of the vulnerability on Dec. 4, 2019. "[Google] has rolled out a patch to Android ecosystem partners in April 2020, with a fix security patch (Android versions 8.0, 8.1, and 9) set to be rolled out to the general public in May 2020," the report read.

While Android 10 is not affected by the vulnerability, Promon said the most recent data from Google shows than nearly 92% of all Android devices have 9.0 or an older version of the mobile OS.

When asked about why the disclosure took a longer-than-average amount of time (five-and-a-half months compared to the more typical 90 days), Høegh-Omdal explained that Promon had agreed internally that it wanted to "provide Google with whatever window they needed to have a security patch ready."

While StrandHogg 2.0 could be a concern for enterprises, Høegh-Omdal said that he's more worried about developing nations where Android is more prevalent and older, non-patched devices are frequently sold.