Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Android

New Android Vulnerability Strandhogg 2.0 Exploits User Trust (arstechnica.com) 10

An anonymous reader quotes a report from Ars Technica: A Norwegian infosec firm discovered a new Android vulnerability, which they've dubbed Strandhogg 2.0. Security firm Promon says "Strandhogg" is an old Norse strategy for coastline raids and abductions, and today's vulnerability is the "evil twin" of a similar one discovered in 2019. The original Strandhogg used an Android feature called taskAffinity to hijack applications -- by setting the taskAffinity of one of its activities to match the packageName of any other app, then setting allowTaskReparenting="true" in its own manifest, the Strandhogg app would be launched in place of the target app. Strandhogg's 1.0 major weakness was the need to declare taskAffinity in the Android Manifest. The Manifest is a plain XML file and must be included in the package hosted at the Play Store itself -- it can't simply be downloaded later, after the app is installed. This made it relatively simple to scan the Play store for apps with sketchy-looking taskAffinity declarations. Strandhogg 2.0 doesn't require any special settings in a package's Android Manifest -- meaning the attacking code doesn't need to be present on the Play Store to be scanned at all. Instead, the attacker can download the attack code later, once the trojan app or game is already installed on a user's device.

In addition to the obvious credential-stealing attacks, Strandhogg can be used to trick users into escalating its privileges based on the trust they have for the apps it hijacks. For example, a user tapping Camera is asked if they want to grant it permission to access the camera and microphone -- if the user taps Yes, they've actually given those privileges to the malware app, not the Camera app it covered up on the screen. Strandhogg 2.0 affects all versions of Android prior to 10 -- which translates to roughly 90 percent of the Android userbase. Google rolled out a patch to close the Strandhogg 2.0 vulnerability, CVE-2020-0096, in May's Android Security Update. This is good news for Pixel users -- but as always, carriers and OEMs may delay those upgrades significantly.

This discussion has been archived. No new comments can be posted.

New Android Vulnerability Strandhogg 2.0 Exploits User Trust

Comments Filter:
  • Something really meta bout that.

  • by dicobalt ( 1536225 ) on Tuesday May 26, 2020 @07:47PM (#60108490)
    Imagine a world were Dell and HP deployed Windows updates instead of Microsoft.
    • by Merk42 ( 1906718 )
      It's only proprietary because the other handset makers are making modifications for "muh brand". If you use the same as Google, or something close, or, are just not lazy, you can have updates out just as fast (R.I.P. Essential).
  • by bobstreo ( 1320787 ) on Tuesday May 26, 2020 @07:49PM (#60108496)

    with a pixel 3a XL.

    I only ever got one update after I got the Samsung phone. I finally had to get rid of it (android 5.5.1 was the last version I ever got for it.) I removed the sd card from the old Samsung, and the battery wouldn't fit back in because it had bulged so badly.

    On the pixel I have received a full update (android 9 to android 10) and a bunch of other updates in the month and a half I've had it. The pixel 3a XL is around $319 unlocked on amazon this week.

    I'd also recommend installing firewall software, to control access to external resources.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...