If your Android phone can install Google’s May security update, make sure you run the update.
A critical vulnerability called Strandhogg 2.0 revealed yesterday (May 26) can be used to “gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations and spy through a phone’s camera and microphone,” according to the flaw’s finders at Norwegian app-security firm Promon.
The best Android antivirus apps to keep your smartphone safe
Best Android phones of this year so far
Latest: OnePlus Z could soon battle Google Pixel 4a
Strandhogg 2.0 superficially resembles the earlier Strandhogg Android flaw that Promon disclosed in December 2019. Both Strandhoggs (the name comes from a Viking term for beach raids) let malware spoof legitimate Android apps and system screens.
As a result, you might type your Facebook username and password into a fake Facebook app rather than the real thing, handing control of your Facebook account over to attackers (unless you have two-factor authentication activated). Or you could give an attacking app permission to use your camera and microphone, letting it spy on you.
Who is (and isn’t) vulnerable to Strandhogg 2.0
The good news is that Android 10 phones are immune from Strandhogg 2.0, and that Android 8.0 and 8.1 Oreo and Android 9 Pie were patched with security updates at the beginning of May. The flaw has also not yet been exploited in the wild, although that may change soon.
The bad news is that many phones that aren’t Google Pixels or Samsung flagships will not get the May security patch for several months. Older phones running earlier versions of Android will probably never be patched.
Both versions of Strandhogg can be abused without taking any app permissions, so there would be very little to tip off the phone user that something might be amiss. However, the first Strandhogg is easy to detect using Google’s own Play Protect software.