A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone – potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.
The bug is dubbed the “StrandHogg 2.0” vulnerability (CVE-2020-0096) by the Promon researchers who found it, due to its similarity to the original StrandHogg bug discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.
However, Version 2.0 allows for a wider range of attacks. The main difference with the new bug is that exploits are carried out through reflection, “allowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden,” researchers explained, in a white paper published on Tuesday. The original StrandHogg allowed attacks via the TaskAffinity Android control setting.
“StrandHogg 2.0…has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,” according to the research.