A critical privilege-escalation vulnerability affecting Android devices was discovered which permits attackers to hijack any app on an infected phone, exposing private SMS messages and photos, login credentials, GPS movements, phone conversations etc.
The bug was found by Promon researchers and tracked as “StrandHogg 2.0” vulnerability (CVE-2020-0096). It has been named so due to its similarity to the original StrandHogg bug discovered last year. A malicious app installed on a device can hide behind legitimate apps. When an app icon is clicked, a malicious overlay is executed that can collect login credentials for the legitimate app.
According to the researchers, the main difference of the version 2.0 is that exploits are carried out through reflection, allowing malicious apps to assume the identity of legitimate apps while also remaining completely hidden.
The new bug can dynamically attack any app on a given device simultaneously at the touch of a button, while StrandHogg can only attack one app at a time.
The attackers would first inject their own attack activity into the original launcher activity of the targeted apps. The task seems to be the original task belonging to the app but the user actually sees the attack activity that has been placed into the task.
So, when the next time the app is called by a user by clicking the app icon, the Android OS will evaluate the existing tasks and find the task the attacker created. Since it looks genuine to the app it brings the task created to the foreground and the attack will be activated.
A proof-of-concept video of how an exploit would work was published by the Promon researchers
StrandHogg vulnerability are dangerous because:
- it is almost impossible for targeted users to spot the attack,
- it can be used to hijack the interface for any app installed on a targeted device without requiring configuration,
- it can be used to request any device permission fraudulently,
- it can be exploited without root access,
- it works on all versions of Android, except Q.
- it doesn’t need any special permission to work on the device.
StrandHogg 2.0 attacks are also more difficult to detect. No attacks have been seen in the wild so far.
Security researchers reported the vulnerability to Google in December last year. Google has prepared a patch and the smartphone manufacturing companies have now started rolling out software updates to their users from this month.
Even though there is no way to block or detect task hijacking attacks, the users can spot such attacks by keeping an eye on discrepancies like when:
- an app you’re already logged into is asking for a login,
- permission popups that do not contain an app name,
- permissions asked from an app that shouldn’t require or need the permissions it asks for,
- buttons and links in the user interface do nothing when clicked on,
- the back button does not work as expected.