At the end of 2019, Promon information security experts told about a vulnerability in Android that allows malicious applications to modify legitimate and perform malicious operations on their behalf.
The bug was called StrandHogg and, in fact, it can trick the user into granting dangerous privileges to a malicious application, and during the interaction with the application is legitimate. Also, the problem can be used to show victims fake login pages while connecting to legitimate applications.
The essence of StrandHogg last year was well explained by the editor of the X-Mobile column, Yevgeny Zobnin: the root of the problem is that in Android activities have the flag taskAffinity. It allows you to specify the name of the task (task), on the activity stack of which the specified application will get. This is needed for finer control over reverse stacks. But by default, the value of taskAffinity is equal to the name of the application package, which means that in some cases you can quietly push the activity of your application into the activity stack of someone else's. And if you also specify the flag allowTaskReparenting = "true", this activity can be moved to the very top and the next time you click on the icon of the target application, it will appear on the screen first (that is, it will be on top of the stack).
Exploiting the problem requires that both the malicious application and the victim application are already running. The sequence of user actions should be as follows: he launches the victim application, returns to the desktop, then launches the malicious application, then starts the victim application again. At this point, instead of a cold start, Android simply shows the “top” activity on the stack, and it turns out the activity of the malicious application.
Let me remind you that Google engineers refused to fix this vulnerability last year and refused to do it years earlier. The fact is that this is called design flaw, that is, a design error, the correction of which will break the existing software. In fact, Google chose to focus on detecting and blocking malicious applications that exploit the vulnerability, rather than releasing a patch.
Now, experts of the same company Promon published information about the second version of the problem, calling the StrandHogg 2.0 vulnerability (CVE-2020-0096) and saying that it is much worse than the first.
The new version of the vulnerability works in a similar way: it makes the victim believe that she enters her credentials in a legitimate application, while in fact the victim interacts with the malicious overlay. Also, Strandhogg 2.0 does not require any permissions to work, but can be used to obtain various permissions through other applications (for the subsequent theft of confidential user data, such as contacts, photos, location information).
Researchers write that the main weakness of the first Strandhogg was the need to declare taskAffinity in Android Manifest. Since the manifest is a regular XML file and must be included in a package hosted by the Google Play Store, it cannot simply be downloaded later, after installing the application. As a result, scanning the official application directory in search of applications with a suspicious taskAffinity was quite simple, which Google practiced.
But, unlike its predecessor, the StrandHogg 2.0 problem does not require any special settings in Android Manifest and the use of taskAffinity. That is, the malicious code does not have to be present on Google Play, instead, the attacker can download it later when the dangerous application is already installed on the user's device.
Strandhogg 2.0 is a threat to most versions of Android (up to 9), that is, approximately 90% of all Android user bases are at risk, and more than a billion devices are involved.
This time, Google engineers still released a patch to fix the vulnerability: the fix was included in the May updatesth for Android. Promon and Google experts write that they have no information that hackers have already abused this problem. However, researchers who discovered the problem say that the operation of Strandhogg 2.0 is in principle difficult to notice.