Left unpatched, the
vulnerability could expose almost all Android users to the risk of having their
personal data intercepted by attackers
Researchers have found a critical flaw that affects
nearly all devices running Android 9.0 or older, which implies that over 90% of Android users could be vulnerable. If exploited, the security hole allows
hackers to hijack almost any app and steal victims’ sensitive data, according
to researchers at Promon, who uncovered the vulnerability and dubbed it StrandHogg 2.0.
The good news is that malware exploiting the
vulnerability has not been observed in the wild. Importantly, Google provided a
patch to Android device makers in April 2020, with the fix – for Android
versions 8.0, 8.1 and 9.0 – being rolled out to the public as part of the latest assortment of monthly security updates throughout this month. Promon notified Google about the vulnerability in early December 2019.
Indexed as CVE-2020-0096, the elevation of privilege flaw resides in the Android system
component and can be abused through a method called reflection that allows
malicious apps to impersonate legitimate applications while the victim is none
the wiser. As a result, once a malicious app is downloaded and installed on a
vulnerable device, an attacker could steal the victim’s access credentials,
record conversations, track their movements via GPS, or access stored data such
as photos or messages.
Let’s say a malicious app sneaks into your device
and you click on a legit app that requires your access credentials. Instead of
that app, however, the data-stealing overlay is displayed. You go on to enter
your credentials and those are immediately transferred to the criminal, who now
has control of this app. It isn’t just the credentials that are at risk – the
app can hijack permissions that are being granted to apps, notably access to
the GPS, microphone, or camera. Most apps are vulnerable to the attack by
default.