StrandHogg 2.0 Critical Bug Allows Android App Hijacking

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone – potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.

The bug is dubbed the “StrandHogg 2.0” vulnerability (CVE-2020-0096) by the Promon researchers who found it, due to its similarity to the original StrandHogg bug discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.

However, Version 2.0 allows for a wider range of attacks. The main difference with the new bug is that exploits are carried out through reflection, “allowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden,” researchers explained, in a white paper published on Tuesday. The original StrandHogg allowed attacks via the TaskAffinity Android control setting.

“StrandHogg 2.0…has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,” according to the research.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top