New Android vulnerability Strandhogg 2.0 exploits user trust

Cartoon flowchart explaining how a phishing attack works.
Magnify / Strandhogg 2.zero will also be considered without equal phishing assault. When the consumer faucets a valid icon—which might be for electronic mail, digital camera, and many others—the malware intercepts the faucet and will provide a copycat conversation as a substitute.

A Norwegian infosec company came upon a brand new Android vulnerability, which they have got dubbed Strandhogg 2.zero. Safety company Promon says “Strandhogg” is an previous Norse technique for sea coast raids and abductions, and nowadays’s vulnerability is the “evil dual” of a an identical one came upon in 2019.

The unique Strandhogg used an Android characteristic known as taskAffinity to hijack programs—through atmosphere the taskAffinity of one among its actions to check the packageName of some other app, then atmosphere allowTaskReparenting=”true” in its personal manifest, the Strandhogg app can be introduced instead of the objective app.

Consider tapping the official Gmail icon to your telephone and getting what seems to be a valid login recommended, pixel-for-pixel similar with the only you’ll see in case your account have been logged off. Would you input your credentials? If one of the most loose video games or apps you or a kid would possibly have put in was once a Strandhogg vessel, you simply gave your credentials to an attacker—which would possibly even release the Gmail utility itself right away after trying out your credentials, leaving no obtrusive signal you have been compromised.

Impatient customers will have to skip forward to one:00—the primary minute of the video is spent merely demonstrating that the Digicam, Fb, Messages, Recordsdata, and Gmail apps are official.

Strandhogg’s 1.zero primary weak spot was once the want to claim taskAffinity within the Android Manifest. The Manifest is a undeniable XML report and will have to be incorporated within the bundle hosted on the Play Retailer itself—it cannot merely be downloaded later, after the app is put in. This made it moderately easy to scan the Play retailer for apps with sketchy-looking taskAffinity declarations.

Strandhogg 2.zero does not require any particular settings in a bundle’s Android Manifest—that means the attacking code does not want to be provide at the Play Retailer to be scanned in any respect. As a substitute, the attacker can obtain the assault code later, as soon as the trojan app or sport is already put in on a consumer’s instrument.

Any Android application can be targeted by Strandhogg's overlay-phishing technique—including banking apps.
Magnify / Any Android utility will also be focused through Strandhogg’s overlay-phishing methodology—together with banking apps.

Along with the most obvious credential-stealing assaults, Strandhogg can be utilized to trick customers into escalating its privileges in keeping with the consider they’ve for the apps it hijacks. For instance, a consumer tapping Digicam is requested in the event that they need to grant it permission to get right of entry to the digital camera and microphone—if the consumer faucets Sure, they have got in truth given the ones privileges to the malware app, now not the Digicam app it lined up at the display.

Strandhogg 2.zero impacts all variations of Android previous to 10—which interprets to kind of 90 % of the Android userbase. Google rolled out a patch to near the Strandhogg 2.zero vulnerability, CVE-2020-0096, in Might’s Android Safety Replace. This is excellent news for Pixel customers—however as all the time, carriers and OEMs might prolong the ones upgrades considerably.

The older Strandhogg 1.zero vulnerability isn’t patched and most probably might not be—apparently that Google prefers to play whack-a-mole with dodgy apps as they’re uploaded to the Play retailer, since it could actually scan for exploits of that vulnerability at once within the Manifests of doable malware programs.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: