Researchers have discovered a relatively new form of Android malware, that’s stealing credentials using Activity vulnerability. Named as StrandHogg 2.0, attackers here are exploiting Context.startActivities() API method, to launch their malicious app and ask for credentials. Researchers say the Android users dating back to version 3 to version 9 are vulnerable to this exploitation.
More than 90% of Androids are Vulnerable
Android malware sneaks easily, and often hard to be detected. StrandHogg 2.0 is one such malware that’s been infecting Android phones for stealing data. Researchers from Promon have described this malware can affect Androids dating back to Honeycomb (v3) to Android Pie (v9). Well, researchers aren’t sure that Android 10 users are safe tho.
Upon finding the vulnerability it’s exploiting, researchers have informed Google for elimination. And it passed the latest Android Security Level Patch in May 2020 for closing the said vulnerability. But, it’s sent for Androids 8, 8.1, and 9 only. This leaves the other old Androids and those who haven’t patched, vulnerable. And for custom ROM developers, there are ASOP commits for preventing this malware.
Exploiting a Legitimate Feature
While the Promon has been waiting to complete the responsible disclosure period of 90 days, there’s something we could know about how this malware works. As XDA developers explained using Gmail as an example, StrandHogg 2.0 uses App activity to exploit the Context.startActivities() API, and steal data.
This starts with the user opening a malicious app, which he/she could’ve downloaded from several unknown sources. This malware thus runs in the background and shows the legitimate service on top of it to stay genuine. For example, you open the Gmail app or any other app for use. And in sudden, the malware running behind will pop-up the login page of your Gmail asking you to re-login, citing the session was expired or something else.
But this is a phishing page to steal your entered credentials, which can later be used for several attacks like an impersonation. Researchers say disabling the Context.startActivities() isn’t going to work, as it has more legitimate purposes than being used for exploitations. Thus, users updating to any latest security patches released by their OEM or Google is advised to mitigate this exploit.