Explaining the vulnerability, CERT-In said, “An Elevation of Privilege vulnerability named “StrandHogg 2.0” has been reported in the Google Android due to confused deputy flaw in the “startActivities()” of “ActivityStartController.java” which allow the attacker to hijack any app on an infected device. A local attacker could exploit this vulnerability by installing a malicious app on a device which can hide behind legitimate apps.” This vulnerability is present in Android operating systems versions prior to Android 10.0.
Exploiting this vulnerability, attackers can gain access to victim’s login credentials, SMS messages, photos, phone conversations, spy on the user through the phone’s microphone and camera and also track GPS location details on an affected device, it added.
CERT-In is advising to not download and install applications from untrusted sources like unknown websites or links sent over messages or emails. Also, turn off the install application from “Unknown Source” option in the Security Settings page.
“Install applications downloaded from reputed application markets only. Do not visit untrusted websites or follow links provided by unknown or untrusted sources. Install updates and patches as and when available from device vendors/service providers,” as per the advisory.