Researchers at a Norwegian cybersecurity firm have discovered a vulnerability in Android that can be exploited by malicious apps to steal user data such as passwords, files and text message conversation logs. 

Promon AS, the firm that identified the vulnerability, publicly shared its findings today. Google LLC rolled out a patch a few weeks ago as part of its scheduled May update for Android. 

The vulnerability, dubbed StrandHogg 2.0, affects the 2018 Android Pie release and all earlier versions, which power about 90% of mobile devices that run on Google’s operating system. The latest Android 10 release is not affected. Hackers who manage to sneak a malicious app onto a handset could exploit StrandHogg 2.0 to place a data-stealing overlay on top of legitimate apps and intercept input entered by the user.

“By exploiting this vulnerability, a malicious app installed on a device can attack and trick the user so that when the app icon of a legitimate app is clicked, a malicious version is instead displayed on the user’s screen,” Promon researchers detailed in a blog post. “If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps.”

Login credentials aren’t the only type of data that may potentially be at risk from StrandHogg 2.0-based cyberattacks. Malware can generate a deceptive overlay when a legitimate app requests operating system permissions, say to view the user’s photos or location, and hackers can then hijack those permissions to gain broader access to the user’s data or Android installation.

StrandHogg 2.0 is named after a similar flaw in Android that was spotted last year. This latest vulnerability is believed to be more dangerous because, unlike its namesake, it can be exploited without requiring that the user grant a malicious app any operating system permissions. Moreover, it’s harder for security tools to detect.

“StrandHogg 2.0 is also much more difficult to detect because of its code-based execution,” Promon’s researchers wrote. Whereas the previous exploit required that hackers “explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions,” StrandHogg 2.0 requires no such file and thereby makes it easier for hackers to cover their tracks.

Neither the security firm nor Google has seen any evidence that the vulnerability is being exploited to target Android devices. However, it’s possible hackers will try to incorporate StrandHogg 2.0 into attacks now that the vulnerability is publicly known, which means it’s advisable for affected users to download Google’s May patch as soon as possible. 

Photo: Unsplash