Researchers have found a critical flaw that affects nearly all devices running Android 9.0 or older, which implies that over 90% of Android users could be vulnerable. If exploited, the security hole allows hackers to hijack almost any app and steal victims’ sensitive data, according to researchers at Promon, who uncovered the vulnerability and dubbed it StrandHogg 2.0.

The good news is that malware exploiting the vulnerability has not been observed in the wild. Importantly, Google provided a patch to Android device makers in April 2020, with the fix – for Android versions 8.0, 8.1 and 9.0 – being rolled out to the public as part of the latest assortment of monthly security updates throughout this month. Promon notified Google about the vulnerability in early December 2019.

Indexed as CVE-2020-0096, the elevation of privilege flaw resides in the Android system component and can be abused through a method called reflection that allows malicious apps to impersonate legitimate applications while the victim is none the wiser. As a result, once a malicious app is downloaded and installed on a vulnerable device, an attacker could steal the victim’s access credentials, record conversations, track their movements via GPS, or access stored data such as photos or messages.

Let’s say a malicious app sneaks into your device and you click on a legit app that requires your access credentials. Instead of that app, however, the data-stealing overlay is displayed. You go on to enter your credentials and those are immediately transferred to the criminal, who now has control of this app. It isn’t just the credentials that are at risk – the app can hijack permissions that are being granted to apps, notably access to the GPS, microphone, or camera. Most apps are vulnerable to the attack by default.

The research team pointed out that compared to the original StrandHogg flaw, StrandHogg 2.0's “less evil twin”, the newly-disclosed flaw is much more difficult to detect because of its code-based execution. Also, it can also “dynamically attack nearly any app on a given device simultaneously at the touch of a button”, whereas StrandHogg could only attack apps one at a time.

Promon theorizes that cybercriminals would probably exploit both vulnerabilities in unison since they can attack devices in different ways, while at the same time many measures used to mitigate one vulnerability cannot be applied to the other.

To protect yourself against StrandHogg 2.0, you should update your Android device to the latest available OS version. Generally speaking, it’s also important to have a reputable mobile security solution in place and to be very cautious about installing apps from outside Google Play.