StrandHogg 2.0 – Critical Android Vulnerability Could Expose Banking Credentials, SMS Messages & More

Samuel Bakken,

TechCrunch reported today that one of the most severe vulnerabilities included in the May 2020 Android Security Bulletin (CVE-2020-0096) could allow attackers to access sensitive data handled or generated by almost any app installed on an infected Android device. There are not yet any known cases of this vulnerability being exploited in the wild, but as you might imagine, it does pose a risk to mobile financial services apps and users – affecting both unrooted and rooted devices. Let’s explore what this vulnerability means for financial services app developers and what they can do to mitigate the risks for their institutions and end users.

What is StrandHogg 2.0 and What Damage Can it Do?

Strandhogg 2.0
Image source:

Malware that exploits the StrandHogg 2.0 vulnerability, discovered and disclosed by security firm Promon, can masquerade as other apps installed on the same Android device. Promon researchers note that this iOS and Android vulnerability is related to the original StrandHogg vulnerability discovered at the end of 2019. However, because it’s harder to detect an attack on the vulnerability and can be used to attack multiple apps simultaneously, it’s thought to be more serious.

Here’s why banks need to consider the risks associated with StrandHogg 2.0:

  1. The malware leveraged by cybercriminals can request permissions disguised as a legitimate application
  2. If granted those permissions, the malicious app can access private information including login credentials, SMS messages, photos, GPS location, phone conversations, and more
  3. When a user launches a legitimate app for mobile banking, the malware can insert a mock log-in screen on top of that app to steal a user’s credentials

1.	The malware can request permissions disguised as a legitimate application
Image source:

For example, say a user downloads a COVID-19 exposure notification/contact tracing app from the Google Play Store onto a device infected with malware that exploits this vulnerability. When the user launches the COVID-19 app, the malware might insert itself, hijack that session, and request permissions such as GPS and messaging. The user might feel comfortable granting those permissions to what they assume is a legitimate app when in fact they’ve granted these positions to malware. That information, instead of combatting the pandemic, could be repurposed for phishing attacks, ransomware attacks, or other malicious activity.

To re-iterate, today there are no known examples of malware campaigns exploiting this vulnerability in the wild. However, that could change. Malicious apps were exploiting the original StrandHogg vulnerability in late 2019 to target mobile banking users. With more details about StrandHogg 2.0 now available, attackers may iterate upon earlier campaigns to increase their effectiveness.

StrandHogg 2.0 Impact: All Android Versions Vulnerable other than Android 10

With clear potential for damage, the next question is how much of the population is exposed? Fortunately, the Android operating system, Android 10, is not affected. Unfortunately, not even 1 in 10 Android users have updated to Android 10. StandHogg 2.0 affects all other versions of Android (91.8% of devices).

Here’s a handy chart of showing what percentage of  users are using affected versions of the Android OS (a majority) based on data from Android Studio as of April 2020.

percentage of  users are using affected versions of the Android OS

Yes, Google did issue patches for Android 8, 8.1, and 9 as part of the May 2020 Android Security Bulletin. However, there’s no guarantee that those patches will make it to every mobile device running Android 8, 8.1, or 9. Even then, 40 percent of Android users run Android 7.1 or earlier and remain vulnerable.

OK, I’m Sufficiently Startled – What Can I Do to Protect Against StrandHogg 2.0?

First, Android users should update their device to the latest version Android. Unfortunately, depending on the device manufacturer and a user’s service provider/carrier that may not be possible. This is why app developers and especially developers of mobile financial services apps need to take note.
There’s no reliable way to know the precise security status of mobile devices on which your mobile app operates. Developers have no real way of knowing whether a user’s device is riddled with vulnerabilities or compromised with malware. This is why advanced cybersecurity such as app shielding and runtime protection that travels with the app to defend it (and your users) even in hostile conditions is crucial to a complete, layered approach to mobile app security.

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Discover how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

Sam is Director of Product Marketing responsible for the OneSpan mobile app security and identity verification portfolio and has nearly 10 years of experience in information security.