Critical Android flaw can be used to hack almost any phone: What to do

News
By published

Strandhogg 2.0 vulnerability lets you spoof any legitimate app

Strandhogg 2.0 vulnerability
(Image credit: Shutterstock)

If your Android phone can install Google's May security update, make sure you run the update. 

A critical vulnerability called Strandhogg 2.0 revealed yesterday (May 26) can be used to "gain access to private SMS messages and photos, steal victims' login credentials, track GPS movements, make and/or record phone conversations and spy through a phone's camera and microphone," according to the flaw's finders at Norwegian app-security firm Promon.

Strandhogg 2.0 superficially resembles the earlier Strandhogg Android flaw that Promon disclosed in December 2019. Both Strandhoggs (the name comes from a Viking term for beach raids) let malware spoof legitimate Android apps and system screens. 

As a result, you might type your Facebook username and password into a fake Facebook app rather than the real thing, handing control of your Facebook account over to attackers (unless you have two-factor authentication activated). Or you could give an attacking app permission to use your camera and microphone, letting it spy on you.

Diagram showing how the Strandhogg 2 Android flaw could be exploited to steal the password to an online bank account.

(Image credit: Promon)

Who is (and isn't) vulnerable to Strandhogg 2.0

The good news is that Android 10 phones are immune from Strandhogg 2.0, and that Android 8.0 and 8.1 Oreo and Android 9 Pie were patched with security updates at the beginning of May. The flaw has also not yet been exploited in the wild, although that may change soon. 

The bad news is that many phones that aren't Google Pixels or Samsung flagships will not get the May security patch for several months. Older phones running earlier versions of Android will probably never be patched. 

Both versions of Strandhogg can be abused without taking any app permissions, so there would be very little to tip off the phone user that something might be amiss. However, the first Strandhogg is easy to detect using Google's own Play Protect software. 

Not so with Strandhogg 2.0. Malware exploiting it might sail past even the best Android antivirus apps. Perfectly innocuous apps might later be updated to exploit Strandhogg 2.0, fooling Google Play. 

Promon researchers notified Google of the Strandhogg 2.0 flaw on Dec. 4, 2019, and Google confirmed the severity of the flaw five days later. However, it took Google nearly five months to fix the vulnerability, and Promon cut Google a break by extending its 90-day disclosure deadline by an extra month twice.

See more Phones News
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Android Phones
Samsung Galaxy S25 Edge next to Galaxy S25 Plus
Samsung Galaxy S25 Edge vs. Galaxy S25 Plus: Everything we know so far
Samsung Galaxy S25 Ultra vs S25 Plus vs S25
Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
vivo x200 ultra camera array
Vivo’s next premium phone could have a camera unlike anything we’ve seen before — here’s how
Google Pixel 9a with thumbs up and thumbs down icons
Google Pixel 9a — 5 reasons to buy and 3 reasons to skip
Pixel 9 Pro XL held in the hand with price drop badge.
Not a typo! This epic deal makes the flagship Pixel 9 Pro XL the same price as the budget Pixel 9a
Latest in News
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
More about android phones
Samsung Galaxy S25 Edge next to Galaxy S25 Plus

Samsung Galaxy S25 Edge vs. Galaxy S25 Plus: Everything we know so far
Samsung Galaxy S25 Ultra vs S25 Plus vs S25

Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
Columbia Spring Deals

Columbia’s spring sale knocks up to 50% off outdoor apparel — 13 deals I’m right shopping now

See more latest
Most Popular
Parker Posey in Party Girl
We’re in the midst of a Parker Posey renaissance — which means you should watch this cult classic on Hulu
Garrett (Sebastian De Souza) and Alex (Sofia Carson) (L-R) holding hands in Netflix's "The Life List"
I watch Netflix for a living — these are the 5 new shows and movies to stream this week (March 24-30)
Bosch: Legacy; Survival of the Thickest; The Studio
7 top new TV shows to stream this week on Netflix, Apple TV and more (March 24-30)
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
best Netflix series Community
7 best shows about college you can stream now
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
Bernie
I’m a big fan of this offbeat comedy thriller starring Jack Black — and you can stream it free on YouTube right now