StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data.


Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers.

About StrandHogg 2.0 (CVE-2020-0096)

Like StrandHogg before it, CVE-2020-0096:

  • Doesn’t need the target device to be rooted and doesn’t require any specific permissions
  • Allows hackers to hijack nearly any app, i.e., to insert an overlay when the app is opened. The overlay take the form of a login screen, request for permissions, etc.

Unlike StrandHogg, StrandHogg 2.0:

  • Can attack nearly any app on a given device simultaneously at the touch of a button (and not just one app at a time)
  • Is more difficult to detect because of its code-based execution.

“The key difference between StrandHogg (1.0), and StrandHogg 2.0 is that the former uses an attribute called taskAffinity to achieve the task hijacking,” Promon researchers explained.

“For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext. While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”

StrandHogg 2.0 uses a different method for task hijacking that leaves no markers. Also, hackers can use obfuscation and reflection to make static analysis of the malicious app difficult.

Promon researcher John Høegh-Omdal says that malware that exploits StrandHogg 2.0 will be harder for anti-virus and security scanners to detect.

Who’s affected and what to do?

According to Promon’s research, the vulnerability affects all Android versions below Android 10 (with the caveat that early Android versions (<4.0.1) have not been tested). Google has released a patch to Android ecosystem partners in April 2020 and a fix for Android versions 8.0, 8.1, and 9 to the public in May 2020.

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” says Tom Lysemose Hansen, CTO and founder of Promon.

As with StrandHogg, users are advised to be wary of permission pop-ups that don’t contain an app name and apps that they have already logged into asking for login credentials.

“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild,” Hansen advises.

These measures include setting all of the app’s public activities to launchMode=”singleTask” OR launchMode=”singleIn stance” in AndroidManifest.xml.

Don't miss