Researchers have publicised a critical security flaw in Android which could be used by attackers to “assume the identity” of legitimate apps in order to carry out on-device phishing attacks.
Discovered by Norwegian company Promon, the bug is called ‘StrandHogg 2.0’, the name denoting that this is an “evil twin” follow up to a similar flaw of the same name made public by the company last year.
Strandhogg is, apparently, the old Norse word for the Viking tactic of sailing up to coastal towns and plundering them, which isn’t a bad description of what the bug might be capable of if it were used in a real attack.
Promon doesn’t delve into the inner workings of the flaw in huge detail but malware exploiting it would be able to overlay a malicious version of any app over the real app, capturing all logins as they are entered by an oblivious user.
Users tap on the icon of the correct app and think they are logging into their email, say, when in fact they are really logging into an interface controlled by an attacker.
Attackers need to know which apps they are targeting in advance but can phish multiple apps in one attack without the need for rooting, admin privileges or special permissions, Promon said.
Promon claims the code used in the attack would be obfuscated enough that it could slip past Google Play’s security layers as well as on-device security apps, making it hard to detect.
Because this attack is so hard to spot, and can steal almost anything on a device (GPS data, images, logins, SMS messages and emails, phone logs, etc.) there’s a chance it might be interesting to nation state hackers as well as criminals out for profit.
Promon predicts that attackers will look to utilise both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways.
Who is affected?
Anyone running Android versions 9.0 or earlier – the only Android version not affected by Strandhogg 2.0 is version 10, currently installed on only a small proportion of smartphones.
Reported to Google last December, the company patched what is now identified as CVE-2020-0096 in the recent May Android update.
It’s not clear how effective mitigations might be which puts a premium on patching this flaw. Unfortunately, the only smartphones that have definitely received this are Google’s own Pixel devices.
If your Android smartphone is made by a third party, patches for Android 8 and 9 could turn up any time from now to several months down the line (potentially vulnerable versions before 8 and 9 no longer receive patches at all).
Users can check their update status via Settings > About phone and looking for the month mentioned in the patch level (May 2020 being the latest). From version 10, the same information is found under Settings > Security.
More likely, the last patch will be anything from two to six months ago. The good news is that, unlike StrandHogg 1.0, there’s no evidence hackers have ever discovered or exploited this weakness.
The risk posed by this right now is probably low. What its existence emphasises is the urgency of improving the patching of Android devices, including the tricky and still-to-be-solved issue of what happens when non-Google devices stop receiving updates after two years.
Currently, nobody knows, a flawed approach whose long-term risks grow larger with every passing Android version.
Note: The small number of Android models using the stock Android One platform (Nokia’s 7.2, Motorola’s One Vision and a few others) receive two years of feature updates but three years of security updates.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Mahhn
I know this is asking a bit much, but..
Question on these flaws, are they design flaws, or part of a support channel/back door for google to manage the OS or apps as needed, and have been discovered by others and become exploits?
Paul Ducklin
Google can (and does) already track what apps are on your phone, e.g. via Google Play, and Google controls the APIs in Android anyway so it can alter the way apps behave as it wants. (This is often very good for security – for example, if Google makes app permissions more restrictive by limiting the data that ca nbe accessed via some part of the API, that change automatically applies to all apps that use that API.)
Google doesn’t need a bug like this – so from Google’s perspective, there is absolutely no upside to it. So, yes, this is a flaw.
Wilderness
Android security seems like a mess, and Apple is…well, Apple, so I wonder if there’s room in the market for a third phone after all, one that’s more secure, clean code and has updates independent of carrier.
Spryte
There was something, the Blackberry, but google and apple put them out of the phone business.
There was also supposed to be Linux phone (Ubuntu of some kind, I think) but it has never come to fruition.
I want Blackberry back… At least I could trust them.
John E Dunn
The Ubuntu smartphone you’re thinking of was the BQ, a cheap device marred by a lack of apps. It disappeared in 2016, which was a shame – the real market for an Ubuntu phone was for a device built around privacy and security. That gap still exists.
Tim
The Pinephone is a new Linux phone running a fork of Ubuntu Touch, but you also can install other OSes instead.