The Evil Twins: StrandHogg 1.0 and 2.0

A major vulnerability has been discovered affecting almost every version of Android. This vulnerability allows malware to emulate legit apps to steal sensitive data.

Some history

The term StrandHogg refers to a Norse term meaning hostile takeover
  • StrandHogg was not present in Google Play but was installed through dropper apps that were distributed by Google Play.
  • The StrandHogg 1.0 vulnerability was discovered last year when an Eastern European security company for the financial sector had been informed of several Czech Republic banks losing money from customer accounts.
  • While the affected apps have been removed by Google, the vulnerability has not yet been patched, including Android 10.

What is happening

Just in six months, Promon researchers found the other twin of StrandHogg and dubbed this vulnerability StrandHogg 2.0 due to similarities between the two. StrandHogg 2.0 can allow attackers to trick victims into thinking that they entered their credentials on a legitimate app, while instead interacting with a malicious overlay. Although StrandHogg 2.0 has been declared to be the more severe flaw among the twins, there has been no evidence of it being used in the wild yet.

Worth noting

  • Google has classified StrandHogg 2.0 as a critical severity with the CVE number CVE-2020-0096.
  • While the first version exploits the Android control setting TaskAffinity, the second one does not.
  • According to researchers, 91.8% of Android users are still using Android version 9.0 or earlier, thus, prone to attacks.
  • StrandHogg 2.0 is extremely difficult to identify because of its code-based execution.

Impact and Response

  • It is predicted by Promon researchers that the threat actors will use both the twins together because both vulnerabilities are uniquely positioned to attack different devices in different ways. This would maximize the target area.
  • A spokesperson for Google stated that Google Play Protect blocks apps that exploit the StrandHogg 2.0 vulnerability.
  • Although Google has issued a patch for Android versions 9, 8.1, and 8.0, the other versions will remain vulnerable. Since StrandHogg 2.0 does not affect Android 10, users are suggested to update their devices to the latest firmware.