29.5.20

Critical Android flaw lets attackers hijack almost any app, steal data



Left unpatched, the vulnerability could expose almost all Android users to the risk of having their personal data intercepted by attackers


Researchers have found a critical flaw that affects nearly all devices running Android 9.0 or older, which implies that over 90% of Android users could be vulnerable. If exploited, the security hole allows hackers to hijack almost any app and steal victims’ sensitive data, according to researchers at Promon, who uncovered the vulnerability and dubbed it StrandHogg 2.0.

The good news is that malware exploiting the vulnerability has not been observed in the wild. Importantly, Google provided a patch to Android device makers in April 2020, with the fix – for Android versions 8.0, 8.1 and 9.0 – being rolled out to the public as part of the latest assortment of monthly security updates throughout this month. Promon notified Google about the vulnerability in early December 2019.

Indexed as CVE-2020-0096, the elevation of privilege flaw resides in the Android system component and can be abused through a method called reflection that allows malicious apps to impersonate legitimate applications while the victim is none the wiser. As a result, once a malicious app is downloaded and installed on a vulnerable device, an attacker could steal the victim’s access credentials, record conversations, track their movements via GPS, or access stored data such as photos or messages.

Let’s say a malicious app sneaks into your device and you click on a legit app that requires your access credentials. Instead of that app, however, the data-stealing overlay is displayed. You go on to enter your credentials and those are immediately transferred to the criminal, who now has control of this app. It isn’t just the credentials that are at risk – the app can hijack permissions that are being granted to apps, notably access to the GPS, microphone, or camera. Most apps are vulnerable to the attack by default.