US president Donald Trump may seem to believe nobody gets hacked, and that to get hacked you need “someone with 197 IQ” and “about 15% of your password”, but his official campaign app is right now vulnerable to an easy-to-exploit Android vulnerability that could be used to spread misinformation – and his rival Joe Biden fares no better.
Trump’s latest false pronouncements, which attracted derision across the industry, prompted researchers at Norwegian mobile security outfit Promon to investigate the US election campaign apps, and during its analysis, it found both Trump’s app and Biden’s are vulnerable to StrandHogg.
StrandHogg – an old Norse word for a Viking raiding tactic – was first identified at Promon last year. The vulnerability allows malware to pose as a legitimate application and if successfully exploited on a victim device enables cyber criminals to access SMS messages, photos, account credentials, location data, to make and record phone calls, and to activate on-board cameras and the device’s microphone. StrandHogg 2.0, a more dangerous version, was identified in May 2020.
“The claim that ‘nobody gets hacked’ is simply untrue and, given the influence of the president, can have dangerous impacts on the behaviour of hundreds of thousands of people,” said Promon chief technology officer Tom Lysemose Hansen.
“If the president of the US doesn’t believe cyber attacks are a serious issue, why should the average user take steps to protect themselves? Unfortunately, cyber crime is evolving constantly and It is not uncommon for malicious attacks to be tied to current affairs to ensure they are far-reaching and timely.
“The president’s statement sadly reflects a widely believed sentiment that secure passwords will protect you from hackers and that hacking, in general, doesn’t affect the average citizen,” he said. “Sadly, this isn’t the case. Absolutely nothing is ‘unhackable’, and even the most secure, high-profile accounts are vulnerable should the user fall victim to a phishing attack which seeks usernames and passwords.”
In the case of the Trump and Biden campaign apps, the vulnerability could let hackers hijack the app and overlay a fake screen that can depict anything the attacker wants to, including requests to hand over personal data.
In a proof of concept video, Promon overlaid Trump’s app with a screen calling on users to donate to the Biden campaign via the ActBlue fundraising platform, and the Biden app with a screen depicting the Democrat candidate in a Make America Great Again hat.
“We would advise that users always keep their devices up-to-date and running the latest firmware and that they only ever download apps created by trusted developers,” said Hansen. “One way to check this is to see if the developer has created any other apps and check the reviews for any and all apps they have developed.
“While neither of these two apps contains sensitive data or personally identifiable information, for other security-sensitive apps (such as banking or medical apps) implementing protocols that prevent spyware from spoofing or recording what happens on the app’s screen is crucial if developers are to prevent hackers from targeting users.”
Google has acknowledged the criticality of StrandHogg 2.0 – which is more officially designated as CVE-2020-0096 – and a patch for the vulnerability was shipped in an Android security update released in May. Users of Android devices who have not yet applied this patch are putting their personal data and safety at risk and should do so immediately.
It’s worth noting that version 2.0 of StrandHogg is particularly dangerous because it can be installed by dropper apps or hostile downloaders distributed via the Google Play Store. Android users therefore need to be cautious when installing new apps because despite the best efforts of Google, malicious apps still slide through the screening process with some regularity.