The Evil Twins: StrandHogg 1.0 and 2.0

Researchers have publicized a critical security flaw in Android which could be used by attackers to “assume the identity” of legitimate apps in order to carry out on-device phishing attacks. A major vulnerability named as StrandHogg, has two versions 1.0 & 2.0

The term StrandHogg refers to a Norse term meaning hostile takeover. StrandHogg was not present in Google Play but was installed through dropper apps that were distributed by Google Play.

The StrandHogg 1.0 vulnerability was discovered last year when an Eastern European security company for the financial sector had been informed of several Czech Republic banks losing money from customer accounts. Just in six months, Promon researchers found the other twin of StrandHogg and dubbed this vulnerability StrandHogg 2.0 due to similarities between the two.

StrandHogg 2.0 has been declared to be the more severe flaw among the twins, there has been no evidence of it being used in the wild yet. Google has classified StrandHogg 2.0 as a critical severity with the CVE number CVE-2020-0096.

The first version exploits the Android control setting TaskAffinity. This flaw takes advantage of Android's multitasking feature and leaves behind traceable pointers. The second version uses a technique that makes this threat harder for victims to detect. StrandHogg 2.0 can allow attackers to trick victims into thinking that they entered their credentials on a legitimate app, while instead interacting with a malicious overlay.

StrandHogg 2.0 is extremely difficult to identify because of its code-based execution.

About StrandHogg:

Malware exploiting it would be able to overlay a malicious version of any app over the real app, capturing all logins as they are entered by an oblivious user. Users tap on the icon of the correct app and think they are logging into their email, say, when in fact they are really logging into an interface controlled by an attacker.

It may also appear as a malicious login page. The victim unknowingly grants permission or sends data to the attacker, who then is redirected to the legitimate app. With this level of access, an intruder can proceed to upload data from a victim's device.  

Attackers need to know which apps they are targeting in advance but can phish multiple apps in one attack without the need for rooting, admin privileges or special permissions, Promon said.

The code used in the attack would be obfuscated enough that it could slip past Google Play’s security layers as well as on-device security apps, making it hard to detect.

Because this attack is so hard to spot, and can steal almost anything on a device (GPS data, images, logins, SMS messages and emails, phone logs, etc.) there’s a chance it might be interesting to nation state hackers as well as criminals out for profit.

Impact:

According to researchers, 91.8% of Android users are still using Android version 9.0 or earlier, thus, prone to attacks. It is predicted by Promon researchers that the threat actors will use both the twins together because both vulnerabilities are uniquely positioned to attack different devices in different ways.

Google stated that Google Play Protect blocks apps that exploit the StrandHogg 2.0 vulnerability. The affected apps have been removed by Google; the vulnerability has not yet been patched, including Android 10.  Much mitigation that protects against StrandHogg doesn’t work for StrandHogg 2.0, and vice versa.

Recommendations:

The following best practices are suggested to be followed:

  • Users are suggested to update their devices to the latest firmware. StrandHogg 2.0 does not affect Android 10.
  • Make sure download any application from authenticated sites.
  • Android users are highly recommended that do not go to download anything form ads or emails. It may be phishing attack.
  • Always turn on notification for update in your android device. Users can check their update status via Settings- > About Phone and looking for the month mentioned in the patch level (May 2020 being the latest).