Researchers at Promon have disclosed a new vulnerability that affects Android 9.0 and below. The flaw, dubbed StrandHogg 2.0 (due to its similarity to original StrandHogg discovered last year), is an elevation of privilege vulnerability that allows attackers to gain access to almost any app on an infected device.

Like the original StrandHogg bug, StrandHogg 2.0 (CVE-2020-0096) allows malicious apps to masquerade as legitimate apps while remaining completely hidden. Once the malicious app has been installed on the device, it can access personal data such as SMS messages, photos, login credentials, track GPS movements, make and record phone calls, and spy on the users via the camera and microphone.

CVE-2020-0096, which has been classified by Google as a “critical severity” issue, allows for a broader range of attacks, the researchers warned. While the original StrandHogg vulnerability allowed attacks via Android’s TaskAffinity control settings, the new bug is executed through reflection, and because of its code-based execution it is much difficult to detect.

“StrandHogg 2.0, being the more cunning twin, has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,” Proton explained.

Using this flaw, a malicious app can assume the identity of a legitimate app, and when the unsuspecting user clicks on the icon and inputs their login credentials within the interface of the malicious app this data is immediately sent to the attacker.

“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” according to the report.

“As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams.”

The researchers have contacted Google about the issue in December 2019; five months later, in April 2020, the tech giant has rolled out a patch to Android ecosystem partners. A security patch (Android versions 8.0, 8.1, and 9) is set to be rolled out to the general public in May 2020.