Critical Android flaw can be used to hack almost any phone: What to do

Strandhogg 2.0 vulnerability
(Image credit: Shutterstock)

If your Android phone can install Google's May security update, make sure you run the update. 

A critical vulnerability called Strandhogg 2.0 revealed yesterday (May 26) can be used to "gain access to private SMS messages and photos, steal victims' login credentials, track GPS movements, make and/or record phone conversations and spy through a phone's camera and microphone," according to the flaw's finders at Norwegian app-security firm Promon.

Strandhogg 2.0 superficially resembles the earlier Strandhogg Android flaw that Promon disclosed in December 2019. Both Strandhoggs (the name comes from a Viking term for beach raids) let malware spoof legitimate Android apps and system screens. 

As a result, you might type your Facebook username and password into a fake Facebook app rather than the real thing, handing control of your Facebook account over to attackers (unless you have two-factor authentication activated). Or you could give an attacking app permission to use your camera and microphone, letting it spy on you.

Diagram showing how the Strandhogg 2 Android flaw could be exploited to steal the password to an online bank account.

(Image credit: Promon)

Who is (and isn't) vulnerable to Strandhogg 2.0

The good news is that Android 10 phones are immune from Strandhogg 2.0, and that Android 8.0 and 8.1 Oreo and Android 9 Pie were patched with security updates at the beginning of May. The flaw has also not yet been exploited in the wild, although that may change soon. 

The bad news is that many phones that aren't Google Pixels or Samsung flagships will not get the May security patch for several months. Older phones running earlier versions of Android will probably never be patched. 

Both versions of Strandhogg can be abused without taking any app permissions, so there would be very little to tip off the phone user that something might be amiss. However, the first Strandhogg is easy to detect using Google's own Play Protect software. 

Not so with Strandhogg 2.0. Malware exploiting it might sail past even the best Android antivirus apps. Perfectly innocuous apps might later be updated to exploit Strandhogg 2.0, fooling Google Play. 

Promon researchers notified Google of the Strandhogg 2.0 flaw on Dec. 4, 2019, and Google confirmed the severity of the flaw five days later. However, it took Google nearly five months to fix the vulnerability, and Promon cut Google a break by extending its 90-day disclosure deadline by an extra month twice.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Android Phones
Google Pixel 9 Pro in hand
Epic Google sale on Pixel 9 Pro, Pixel Watch and more — 9 deals I’d buy with up to $400 off
samsung galaxy s25 edge mockup at galaxy unpacked
Galaxy S25 Edge is overhyped — I want Samsung to make this phone thinner instead
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
Google Pixel 9a render
Google Pixel 9a pre-orders could come with a free Google TV Streamer — what we know
Samsung Galaxy S23 Ultra
Older Samsung phones are finally getting One UI 7 — here's all the devices
Latest in News
Samsung HW-Q990D soundbar
Samsung’s flagship 2024 soundbar just got bricked by a new firmware update — don’t update
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Erin Doherty as Briony Ariston and Owen Cooper as Jamie Miller in "Adolescence" on Netflix
Netflix just got a gripping crime drama show that’s already hit No. 1 — and it’s 100% on Rotten Tomatoes
Leslie Bibb in The White Lotus season 3
Last night's 'White Lotus' cameo is less surprising than you think
Garmin Fenix 8 Sleep
New data reveals the average Garmin sleep score — do you sleep better or worse than most people?
Miele Guard L1 smart vacuum cleaner
Miele has launched its first vacuum cleaner with Wi-Fi — and it’s a game changer