A critical elevation-of-privilege vulnerability found in Android devices could potentially be exploited, without root access or user permission, to hijack virtually all mobile apps in order to spy on individuals or steal their login credentials.

Google has developed a security patch for Android versions 8, 8.1 and 9 — alerting its partners of the update in April and releasing it to the general public earlier this month as part of its May Security Bulletin. Android 10 is not affected by the vulnerability.

Still, mobile security experts point out that Android versions prior to 8 remain endangered, and they note that availability of patches may depend on the particular device a user owns and whether the manufacturer has deployed the fix. Additionally, they say this latest discovery will place additional responsibility on Google to ensure that its official app store can detect and keep out malicious dropper apps that attempt to distribute malware designed to exploit the vulnerability.

Researchers at Promon who uncovered the flaw refer to the bug as StrandHogg 2.0 because its location and potential ramifications are similar to those of another Android flaw they previously discovered, known simply as StrandHogg. The difference this time is that the vulnerability is even more dangerous and more difficult to detect.

Attackers who exploit StrandHogg 2.0 can access SMS messages and photos, swipe login credentials, track GPS movements, record phone conversations, access the camera and microphone, and review contact lists and phone logs, according to an informational web page Promon has published.

Officially designated CVE-2020-0096, StrandHogg 2.0 exploits affect anyone running Android version 9 or earlier. Only about 10 percent of Android device owners currently run Android 10, Google reportedly disclosed earlier this month.

Promon is not aware of any exploit attack taking place in the wild so far. In such a scenario, however, attackers could make it so that when victims click on the icon of a legit app, a malicious overlay of the program is displayed instead. The overlay could potentially ask for credentials — allowing the adversaries to steal those — or it could ask for additional permissions so the malicious actors can do even more damage.

According to a Promon research report, StrandHogg 2.0 is found in Android’s task management system and involves what researchers are calling a “peculiarity in startActivities(Intent[])” that allows attackers to launch a fake, malicious activity in place of a regular task.

“By implementing code, an attacker can replace the end-user view of almost any Android app by hijacking the tasks,” the report explains. “This can be used to gain various platform permissions (by hijacking apps such as the SMS app, mail app, camera app, maps etc.), and stealing login credentials. The malicious app can hide its intention by obfuscation and reflection, making static analysis of the malicious app challenging.”

To mitigate the vulnerability, Promon advises users to update their firmware as soon as possible.

However, “[Because] the fix for this bug is part of the core Android operating system, Android users are once again at the mercy of their handset manufacturers and their service providers, who are often still slow to act when it comes to distributing security patches,” said Tod Beardsley, director of research at Rapid7. “People who are worried about this bug in particular should keep a close eye on when the fix for CVE-2020-0096 hits their particular distribution.”

“Android users should update their device to the latest version of Android. Unfortunately, depending on the device manufacturer and a user’s service provider/carrier that may not be possible,” added Sam Bakken, senior product marketing manager at OneSpan. “This is why app developers and especially developers of mobile financial services apps need to take note.”

Indeed, Promon recommends that app developers implement their own defenses that are capable of monitoring task launches and blocking malicious ones. Bakken agrees in the web app security approach, noting that this latest vulnerability is a reminder to developers that “there’s no reliable way to know the precise security status of mobile devices on which your mobile app operates. Developers have no real way of knowing whether a user’s device is riddled with vulnerabilities, or compromised with malware or not.”

The original StrandHogg vulnerability, which was being actively exploited when first announced last December, was also a task management bug. However, it was found residing specifically in Android’s taskAffinity control setting. “For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext,” Promon explains. “While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”

StrandHogg 2.0, on the other hand, is more difficult to detect due to its code-based execution that requires no manual work on the attackers’ part. “As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams,” Promon explains.

The new bug is also more dangerous because it can “dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,” Promon clarifies.

Promon predicts that attackers will ultimately try to combine both StrandHogg vulnerabilities, since they attack devices in different manners and are not solved by the same mitigations.

The original StrandHogg bug was exploited using malicious droppers placed in app stores — something Google must be on the lookout for.

“Luckily, the scrutiny Google has built in to the Play Store makes this attack somewhat unlikely. I’m sure everyone will be watching Google’s Play Store protections to see if the application vetting done there actually works,” said Beardsley.

Boris Cipot, senior security engineer at Synopsys, said Android device users “need to be cautious of the apps they choose to install. Even as Google works to protect their users, malicious apps will still likely slide past their screening process on occasion. One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation.”

“The other way to get compromised by this is to load an application through a different mechanism, such as [a third-party] application store,” warned Beardsley. “While this is uncommon in the U.S., alternative sources for applications are more common in places like India, China and Russia.”