Skip to main content
Feb 24, 2020

Android Cracks and App Hacks – What Is StrandHogg?

StrandHogg is a critical vulnerability within the Android mobile operating system allowing bad actors to obtain login credentials and gain control of security-sensitive apps. The exploit was originally discovered in 2015 but recently renamed “StrandHogg” — old Norse for a Viking tactic of plundering coastal settlements and ransoming imprisoned natives.

This vulnerability is a manifestation of the Android control setting taskAffinity. Summarily, taskAffinity grants apps the right to declare themselves as friends (Affinity) allowing the Android ‘BACK’ button to work in a seamless, user-friendly way. Conversely, the use of the taskAffinity setting introduced a vector through which malware writers have developed data theft attacks, utilizing this vulnerability to access any type of shared/available data.

Users can configure their apps to avoid StrandHogg exploitation by denying all forms of interaction with other applications where Affinity doesn’t exist. A setting in the Android manifest will protect users from a deluge of false friends inherited as a result of malware activity. Further steps to protect include checks that ensure malware hasn’t changed this setting.

Arxan testing found that 80% of apps don’t use the taskAffinity setting, and that only 10% of those apps take the simple step that would block StrandHogg. Vulnerabilities in the Android operating system will continue to be uncovered and rediscovered. Arxan's code protection tools can render such attacks impossible. Arxan's Android app code-level security features protect apps against code-level exploitation, automatically triggering on suspicious activity, and alert on attacks — all in real-time.

Winston Bond

Winston Bond is the EMEA Technical Director at Arxan with many years experience of working with customers in the security, software and semiconductor industries, across Europe and worldwide.

Arxan for Android

More from the Blog
Feb 19, 2020

Four application security themes for 2020

The United States was astonished recently when the Iowa Democratic caucuses vote count failed due to a bad app.
Read more
Feb 05, 2020

Financial Mobile App Vulnerability FAQs

Last year research by Aite Group examined mobile application security vulnerabilities across eight financial services sectors ...
Read more
Sep 18, 2019

Introducing A New Weapon in War Against Browser Data Exfiltration

We’re proud to announce that our t
Read more