India’s cybersecurity agency, the Computer Emergency Response Team (CERT-In), has recently issued a warning on its website against a new security vulnerability that lets an attacker hijack any app on an Android device.

“An Elevation of Privilege vulnerability named “StrandHogg 2.0” had been reported in the Google Android due to confused deputy flaw in the “start activities()” in the “ActivityStartController.java” which allow the attacker to hijack any app on an infected device,” read the CERT-In advisory.

The vulnerability can be used to install a malicious app on an Android device that hides behind legitimate apps. This malware then lets attackers hijack any app on the infected device.

“Successful exploitation of this vulnerability could allow the attacker to gain access to a victim’s login credentials, SMS messages, photos, phone conversations, spy on the user through the phone’s microphone and camera and also track GPS location details on an affected device,” the advisory read.

The cybersecurity agency has provided a severity rating of “High” for this particular vulnerability.

The StrandHogg 2.0 affects Android devices running below Android 10 all the way back to Honeycomb (3.0). This means that it affects over 90 per cent of Android devices according to an XDADevelopers report.

Guidelines for users

The Indian cybersecurity agency has provided certain guidelines that users could follow to prevent their devices from this issue.

This includes installing updates and patches for the vulnerability “as and when available from device vendors/service providers.” Google has said that it has pushed out a fix for the vulnerability according to the XDADevelopers report.

Users should not download and install updates from untrusted sources that include unknown websites and download links provided in unsolicited messages or emails.

“Ensure to turn off the “Unknown Source” in the Security Settings page,” the advisory read.