New version Android vulnerability Strandhogg is easier to exploit

A Norwegian security company has found a way to more easily exploit a previously discovered vulnerability in Android. It concerns Strandhogg 2.0, which can mimic apps to steal credentials or take over permissions.

Strandhogg 2.0 was discovered by the Norwegian security company Promon and is said to be a spiritual successor to Strandhogg, which was discovered late last year. Strandhogg was also able to inherit permissions from other Android apps. The current research points to a vulnerability that makes Strandhogg even easier to implement.

Strandhogg 2.0 uses the same kind of vulnerability as the original version, but in a different way. The original malware exploited an Android feature called taskAffinity. That feature is intended to make it quicker to switch between apps. Strandhogg is malware that can use taskAffinity to impersonate another app by copying an app’s package name. For example, the app can pretend to be a simulated banking app, in order to obtain login data. Also, the infected app could ask for certain Android permissions, making users think the permissions were needed for the original app.

The original Strandhogg was relatively easy to block in the Play Store because the use of taskAffinity had to be in the Android Manifest before the vulnerability could be exploited. Strandhogg 2.0 uses a different approach to abuse. According to Promon, it is no longer necessary to manipulate packages in the Android Manifest. The code to attack a user is only downloaded afterwards.

Strandhogg 2.0 is also slightly easier to exploit because the malware does not require root access to run on the phone. That was still a requirement with the original.

The security company has reported the vulnerability to Google. That came in the April Update for Android with a patch. The vulnerability has been assigned code CVE-2020-0096. Strandhogg 2.0 is not exploitable on Android 10, but on all older versions.