New Android Vulnerability Strandhogg 2.0 Exploits User Trust

An anonymous reader quotes a report from Ars Technica: A Norwegian infosec firm discovered a new Android vulnerability, which they've dubbed Strandhogg 2.0. Security firm Promon says "Strandhogg" is an old Norse strategy for coastline raids and abductions, and today's vulnerability is the "evil twin" of a similar one discovered in 2019. The original Strandhogg used an Android feature called taskAffinity to hijack applications -- by setting the taskAffinity of one of its activities to match the packageName of any other app, then setting allowTaskReparenting="true" in its own manifest, the Strandhogg app would be launched in place of the target app. Strandhogg's 1.0 major weakness was the need to declare taskAffinity in the Android Manifest. The Manifest is a plain XML file and must be included in the package hosted at the Play Store itself -- it can't simply be downloaded later, after the app is installed. This made it relatively simple to scan the Play store for apps with sketchy-looking taskAffinity declarations. Strandhogg 2.0 doesn't require any special settings in a package's Android Manifest -- meaning the attacking code doesn't need to be present on the Play Store to be scanned at all. Instead, the attacker can download the attack code later, once the trojan app or game is already installed on a user's device.

In addition to the obvious credential-stealing attacks, Strandhogg can be used to trick users into escalating its privileges based on the trust they have for the apps it hijacks. For example, a user tapping Camera is asked if they want to grant it permission to access the camera and microphone -- if the user taps Yes, they've actually given those privileges to the malware app, not the Camera app it covered up on the screen. Strandhogg 2.0 affects all versions of Android prior to 10 -- which translates to roughly 90 percent of the Android userbase. Google rolled out a patch to close the Strandhogg 2.0 vulnerability, CVE-2020-0096, in May's Android Security Update. This is good news for Pixel users -- but as always, carriers and OEMs may delay those upgrades significantly.

Re: Too Smart

[AvitarX]

It seems to me like it could be used to allow a developer to allow multiple apps to work together (all I did was read the summary though, so I don't really know).

A fix for it would be to require the affinity to be to apps from the same developer.

On the face of it I could see why Facebook would want to be allowed to switch you between messenger and Facebook etc. or Adobe within the creative suite.

"Exploits User Trust"

[the_skywise]

Something really meta bout that.

Android security is proprietary.

[dicobalt]

Imagine a world were Dell and HP deployed Windows updates instead of Microsoft.

Re:

[Merk42]

It's only proprietary because the other handset makers are making modifications for "muh brand". If you use the same as Google, or something close, or, are just not lazy, you can have updates out just as fast (R.I.P. Essential).

Replaced my 7 year old samsung phone

[bobstreo]

with a pixel 3a XL.

I only ever got one update after I got the Samsung phone. I finally had to get rid of it (android 5.5.1 was the last version I ever got for it.) I removed the sd card from the old Samsung, and the battery wouldn't fit back in because it had bulged so badly.

On the pixel I have received a full update (android 9 to android 10) and a bunch of other updates in the month and a half I've had it. The pixel 3a XL is around $319 unlocked on amazon this week.

I'd also recommend installing firewall software, to control access to external resources.

Re:

[Merk42]

I know reading the summary is very difficult, so I'll copy the appropriate bit here:

Google rolled out a patch to close the Strandhogg 2.0 vulnerability, CVE-2020-0096, in May's Android Security Update.