The Evil Twins: StrandHogg 1.0 and 2.0

Some history

• StrandHogg was not present in Google Play but was installed through dropper apps that were distributed by Google Play.
• The StrandHogg 1.0 vulnerability was discovered last year when an Eastern European security company for the financial sector had been informed of several Czech Republic banks losing money from customer accounts.
• While the affected apps have been removed by Google, the vulnerability has not yet been patched, including Android 10.

What is happening

Worth noting

• Google has classified StrandHogg 2.0 as a critical severity with the CVE number CVE-2020-0096.
• While the first version exploits the Android control setting TaskAffinity, the second one does not.
• According to researchers, 91.8% of Android users are still using Android version 9.0 or earlier, thus, prone to attacks.
• StrandHogg 2.0 is extremely difficult to identify because of its code-based execution.

Impact and Response

• It is predicted by Promon researchers that the threat actors will use both the twins together because both vulnerabilities are uniquely positioned to attack different devices in different ways. This would maximize the target area.
• A spokesperson for Google stated that Google Play Protect blocks apps that exploit the StrandHogg 2.0 vulnerability.
• Although Google has issued a patch for Android versions 9, 8.1, and 8.0, the other versions will remain vulnerable. Since StrandHogg 2.0 does not affect Android 10, users are suggested to update their devices to the latest firmware.