StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft - Help Net Security

StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft - Help Net Security

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data.



Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers.


About StrandHogg 2.0 (CVE-2020-0096)


Like StrandHogg before it, CVE-2020-0096:


Doesn’t need the target device to be rooted and doesn’t require any specific permissions
Allows hackers to hijack nearly any app, i.e., to insert an overlay when the app is opened. The overlay take the form of a login screen, request for permissions, etc.

Unlike StrandHogg, StrandHogg 2.0:


Can attack nearly any app on a given device simultaneously at the touch of a button (and not just one app at a time)
Is more difficult to detect because of its code-based execution.

“The key difference between StrandHogg (1.0), and StrandHogg 2.0 is that the former uses an attribute called taskAffinity to achieve the task hijacking,” Promon researchers explained.


“For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext. While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”


StrandHogg 2.0 uses a different method for task hijacking that leaves no markers. Also, hackers can use obfuscation and reflection ..