1/ Thread about #StrandHogg
So a “new” #Android vulnerability with the usual pack (name, website, fancy logo) is in town. #StrandHogg is far from being new. Task hijacking in Android has been documented in 2015 usenix.org/system/files/c…
So a “new” #Android vulnerability with the usual pack (name, website, fancy logo) is in town. #StrandHogg is far from being new. Task hijacking in Android has been documented in 2015 usenix.org/system/files/c…
2/ It is also a documented feature in the Android developer documentation developer.android.com/guide/componen…
3/ Yes sure you don’t need root to exploit #StrandHogg but you still need to comprise the victim’s device first by installing a malicious app on it 
4/ Last but not the least, #StrandHogg is a marketing operation. Name, logo, name, website, coordinated disclosure to the press, they even paid some Google Ads annonces...
5/ To summarize #StrandHogg is a marketing operation, it’s not a “new vulnerability”, has being documented long time ago and @Google know the issue and probably don’t care.
6/ I’m stunned by the marketing effort put into something they found in the wild, absolutely not new, the lack of mentions of the previous research in their website... This business stunt is killing our community and is not raising awareness correctly
7/ Enjoy your 2 seconds of fame
Addendum 1: They reported the issue to Google this summer. Google didn’t patch it because, I don’t know, they probably don’t consider it as “a serious vulnerability”
Addendum 2: Where is the CVE number?
Plot twist: Nowhere, there don’t receive a number for it.
Plot twist: Nowhere, there don’t receive a number for it.
Addendum 3: You can read everywhere that “this vulnerability is exploited in the wild”. In reality, they analyzed only one sample which was not even on Google Play.
This is why there is no IOCs in their report
This is why there is no IOCs in their report
