A critical Android security vulnerability disclosed today and dubbed StrandHogg 2.0 can allow malicious apps to camouflage as most legitimate applications and steal sensitive information from Android users.
According to Promon security researchers who found the bug, StrandHogg 2.0 impacts all devices running Android 9.0 and below (Android 10 is not affected), and it can be exploited by attackers without root access.
Spy and steal sensitive user information After exploiting the critical vulnerability tracked as CVE-2020-0096 on an Android device, malicious actors can easily steal the users' credentials with the help of overlays or their data by abusing app permissions.
By abusing the StrandHogg 2.0 bug, attackers can perform a wide array of malicious tasks which allow them to:
• Listen to the user through the microphone Malicious apps that exploit the vulnerability can easily trick users by replacing the interface of legitimate apps after they are launched using reflection and remaining fully hidden as Promon explains.
"If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps," Promon says.
"Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone."
Fix already rolled out to all vulnerable Android devices A security fix was already released by Google for Android versions 8.0, 8.1, and 9, after being notified of the vulnerability in December 2019 and rolling out a patch to Android ecosystem partners during April 2020.
"Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilizing StrandHogg 2.0," Promon CTO and founder Tom Lysemose Hansen said.
Luckily, no malware has been observed so far actively exploiting the security bug in the wild until today.
StrandHogg 2.0 is similar to a previous Android vulnerability Promon found during 2019, dubbed StrandHogg, and actively exploited at the time by the BankBot banking trojan.
"They are similar in the sense that hackers can exploit both vulnerabilities in order to gain access to very personal information and services, but from our extensive research, we can see that StrandHogg 2.0 enables hackers to attack much more broadly while being far more difficult to detect," Promon CTO and founder Tom Lysemose Hansen said.
StrandHogg allowed malicious apps to hijack Android’s multitasking feature and "freely assume any identity in the multitasking system they desire," while StrandHogg 2.0 is an elevation of privilege vulnerability that enables malware to gain access to almost all Android apps.
Over 90% of Android users exposed to attacks "Promon predicts that attackers will look to utilize both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible."
Since many of the mitigation measures that can be taken against StrandHogg do not apply to StrandHogg 2.0 and vice-versa, many Android users might be exposed to future attacks attempting to exploit both vulnerabilities.
Additionally, since the vast majority of users are still running Android version 9.0 or earlier on their devices (91.8% of Android active users worldwide according to Google), malware designed to abuse the StrandHogg bugs will have a lot of potential targets lined up.
A video demo of StrandHogg 2.0 in action is embedded below.
VIDEO source 
