Return to the list of client alerts
One thing that Apple definitely does better than most of the Android phone manufacturers is patch their devices for a long time. Google understands this and has been pushing manufacturers to patch for a longer time period and more quickly. Android phones that were originally released with Android 10 have an option to allow Google to patch the phones directly bypassing the Google -> phone maker -> carrier route, cutting out months of delay. If you assume that hackers weaponize patches in a week, that delay can be a killer. Especially since using your phone as a voice calling device is pretty low on most user’s use of a phone.
This new bug, is called Strandhogg 2.0.
It allows the bad guys to add an invisible overlay on top of all of your apps (release 2.0 is new and improved; version 1.0 had to be customized for each app. Version 2.0 works for pretty much any and all apps.
AND IT WORKS ON ALL ANDROID PHONES NOT RUNNING ANDROID 10.
What can a hacker do with this capability? Steal credit cards and passwords for starters.
If you are one of those lucky people (like me) that own Google branded phones, you are in good shape. Unless it is an ancient Google phone, it is already running Android 10 (or Q) and that version is not vulnerable. It is possible that your Android phone from another company also runs Android 10, but you have to check.
Whether we are talking about Strandhogg 1.0 or 2.0, the attacker still needs to get the user to install a malicious app. Given that many people are addicted to installing apps, that doesn’t seem to be a very high bar. The malicious app likely performs some expected task in addition to being malicious, so it would not be obvious to the user that the app is malicious.
Other than reading your text messages, stealing your photos, tracking your location via the phone’s GPS, making calls, record conversations and spying on you via the phone’s microphone and camera, the malware doesn’t really do much.
The malware will be hard for anti-malware software to detect or block. Users MAY be able to detect telltale signs of it like buttons that should work in the app and don’t, login screens that appear when they should not, apps asking for unexpected permissions, etc.
The vulnerability is being exploited in the wild – researchers have found malicious apps already.
Google’s patch, issued this month, is available for Android 8.0, 8.1 and 9, but nothing earlier.
Companies need to decide whether they want to allow users with older Android software to access corporate resources such as email. The attack scenario is to steal the user’s credentials from an unpatched phone and then use those credentials to compromise your network or cloud resources. Two factor authentication makes the exploitation of compromised credentials harder, but there are still issues, not related to actually compromising the 2FA directly. This is especially true when not every single corporate system is protected with two factor authentication. Credit: The Hacker News
If you need assistance or have questions, please contact us.