A new strain of the StrandHogg Android vulnerability exploit has been spotted, potentially impacting as many as 90-percent of users. Dubbed StrandHogg 2.0 by researchers from the security firm Promon, the exploit takes advantage of an old vulnerability in Android’s code.
The issue arises from the fact that the vulnerability exploited by StrandHogg was only just patched with Android 10. As per Google’s most recent distribution figures, released in April, that means only around 8.2-percent of users are protected. Smartphones and tablets are still in use running versions of the firmware as old as Android 4.0 Ice Cream Sandwich. And that could leave billions of devices open to attack.
Now, Google has reportedly confirmed that a patch to its Google Play Store scanning app remedies the issue. Namely, the tool should now detect the issue and alert users. Users are being advised to update their apps and system wherever possible to prevent potential problems.
How exactly does StrandHogg 2.0 exploit the Android vulnerability?
The underlying problem with the exploit is that it allows malware apps to masquerade as legitimate ones. So it generally arrives on users’ devices as an illegitimate application posing as something it isn’t. From there, it can wreak all kinds of havoc, primarily centered around tricking users into unwittingly giving up sensitive information.
StrangHogg 2.0 takes things further by embedding itself and then taking advantage of Android’s multitasking system. Specifically, it waits for legitimate apps to be opened and hijacks them. The hijacked app then displays a login page, tied in with an overlay page that allows credentials to be skimmed off.
Summarily, the exploit takes advantage of the Android vulnerability to conduct malicious activities through apps that don’t otherwise pose a threat. That would allow attackers to gain access to passwords and usernames with relative ease.
Making matters worse, the app can trigger requests for sensitive data, from photos and location data to messages. The latter example means that two-factor authentication, particularly with codes sent via SMS, doesn’t necessarily prevent bad actors from gaining access to accounts.
This doesn’t appear to be exploited
As noted above, Google says that it has patched out this problem for devices with the Play Protect service. That’s available in the Google Play Store and turned on by default. But that doesn’t mean everybody will be safe since the feature can be turned off. For those that have the feature turned off but are on older variants of Android, it would be recommendable that Play Protect is activated again.
For anybody running Android 10 or newer, it’s still a good idea to keep Play Protect active. These types of vulnerabilities are exactly what the feature is intended to protect against. Users should also take advantage of the many legitimate anti-virus and security apps that are available on the Google Play Store.
In the interim, the Promon researchers do indicate that there has been no example of the exploit being taken advantage of “in the wild.” That means that apps on the Play Store have not been noted as being affected. And no third-party apps from secondary sources have either. That could change in the future but seems unlikely given that Google has already addressed the problem on its end.