Learn about the StrandHogg v.2.0 vulnerability that threatens 95 Android devices around the world

Learn about the StrandHogg v.2.0 vulnerability that threatens 95 Android devices around the world

Learn about the StrandHogg v.2.0 vulnerability that threatens 95 Android devices around the world
StrandHogg v.2.0
It is known that the Android system has the largest percentage in the world of smartphones (about 70 devices around the world are running Android)

That is why it is natural for the hackers to focus on this popular system, despite Google's continued attempts to secure the Android system as much as possible.

However, a new attack always appears, caused by the StrandHogg v.2.0 vulnerability, which for the first time poses a real threat to all Android phone users as it affects all system versions from Android 3.0 (Honeycomb) up to 9 (bye)!

How StrandHogg v.2.0 vulnerability works

How to make a StrandHogg v.2.0 vulnerability is very simple, it takes advantage of the simplest daily activities of any user, and this is what causes them.

For example, suppose you check your email on Gmail and your email contains a link that you would like to open, and after that you went to the list of open programs on your device.

You will notice that the link you have opened is displayed inside Gmail itself, and not in a separate interface or program.

This is the idea that interfaces in Android generally work as an interface that opens within an interface, and based on this principle the StrandHogg 2.0 vulnerability plays its role!

For example, let's assume the following scenario, the user downloaded and installed mined program from an external source.

In the meantime, the program in the background opens the Gmail program, then begins to copy the program's login interface, places it over the original interface, and then activates it.

The user later opens the Gmail program and finds the login interface visible to him, then he puts his email and password data, and of course you know what will happen after this.

The loophole will take that data and then send it to the hackers, of course the same way you can take the data of bank accounts and personal accounts on Facebook, Twitter and others.

Read also: Your ultimate guide to using Zoom

Technical aspect of the StrandHogg v.2.0 vulnerability and why it is difficult to get rid of it

We still don't have enough information about how the StrandHogg v.2.0 vulnerability works, but what we know so far is that it targets startActivites to open the counterfeit interface for targeted programs as we explained before.

This is done in three ways:
  • Direct opening of the interface using Intent.FLAG_ACTIVITY_NEW_TASK “without counterfeiting any interface which makes it non-dangerous and easy to detect”.
  • Opening an interface similar to the target application interface, "dangerous method".
  • Misinformation by ensuring that the user does not suspect the Gmail program when randomly opening it in the background instead of the program that they clicked on.
StrandHogg v.2.0
StrandHogg v.2.0

Regardless of the different ways to activate the StrandHogg v.2.0 vulnerability, all revolve around targeting startActivites () as mentioned before.

This is why it is difficult to get rid of the vulnerability because it targets a popular code that most developers use to write their own code on the Android platform.

In the first release of the StrandHogg 1.0 vulnerability, a specific code in the AndroidManifest.xml file had to be placed inside the mined program, making it easier for the system to detect it.

In this version, the matter has evolved a lot, as the vulnerability has become dependent on Java and Kotlin, which makes it very complicated and difficult to discover.

See also: What does it mean to be the world's largest Apple? Apple is bigger than these things!

How did Google react?

google protect
google protect

Google's first statement, the direction of the StrandHogg v.2.0 vulnerability, was claiming that the Google Play Protect platform could detect and block all mined programs, even those that use this method, intended for the StrandHogg 2.0 vulnerability.

Of course, this seems comfortable to users, but how did the company claim that the vulnerability was revealed by Google Play Protect and we did not see any reactions from this platform in the video above ?!

Knowing that the user has performed a full scan of all applications on his phone through it, however, you have not discovered the mined program!

So far, Promon Protection - the first to discover the vulnerability in the first place - has said that it has not seen any practical application of the vulnerability yet.

She also advised developers to protect their programs by using singletask or singleInstance code to open multiple interfaces in their programs, as this would be able to prevent the vulnerability from working.

But at the same time it may cause problems in the program itself as these programming methods are not very liked.

The company also promoted the use of its custom protection program, which appears as a library that includes all the operations that developers normally perform, and this helps to detect any program that performs operations different from those in the library.

Fortunately, Promon waited ninety days before fully disclosing how the vulnerability worked and has not yet fully disclosed how it works.

During this period, Google has sent security updates to the Android 8 / 8.1 / 9 versions for March. As for the tenth version of Android, it is not subject to penetration by this vulnerability.

We do not know the exact reason, but it may be related to the restrictions that Google added to open multiple interfaces.

Where Promon company stated that the attack is not effective on the tenth version of Android and that the mined interface is opened on a separate page from the target program and not above it, as mentioned before, it is very easy to discover the matter.

What about Android versions older than 8?

About 22 Android devices work on versions earlier than 8, the number is not too small to ignore, however Google completely ignores these versions as the security updates that you send do not reach them.

That is, all of these versions are a fertile environment for the spread of the StrandHogg 2.0 vulnerability and you can do nothing but make sure to download the applications from secure stores.

Of course, it is also possible to install ROMs with higher Android versions with security versions from May 2020 and above.

What do you think of this revenge and how it works? On a personal level, and despite my strong rejection of all those who embrace the field of hacking and steal the data of its victims.

However, I cannot hide my admiration for the skill of this vulnerability, so how could it target a very simple code program and turn it into a destructive vulnerability!

Frankly, whoever is behind this loophole is really adept and I wish Google could join it to its team because it will definitely be able to secure the Android system more!

Post a Comment