If your Android phone can install Google's May security update, be sure to run the update [The critical vulnerability, dubbed Strandhogg 20, which was revealed yesterday (May 26), can be used to "access private SMS messages and photos, steal victims' login credentials, track GPS movements, track phone conversations and spy on them through the phone's camera and microphone

Strandhogg 20 superficially resembles the previous Strandhogg Android flaw that Promon released in December 2019 Both Strandhogg (the name comes from a Viking term meaning coastal raid) let malware disguise legitimate Android apps and system screens

As a result, the Facebook username and password might be entered into a fake Facebook app instead of the real one, handing control of the Facebook account to the attacker (unless two-factor authentication is enabled) Or you might give the attacking app permission to use your camera and microphone, allowing it to spy on you

The good news is that Android 10 phones are not affected by Strandhogg 20, and Android 80 and 81 Oreo and Android 9 Pie were patched with a security update in early May Also, the flaw has not yet been exploited, but that could change soon

The bad news is that many phones that are not Google Pixels or Samsung flagship models will not receive the May security patch for several months older phones running earlier versions of Android will likely will likely never be patched

Both versions of Strandhogg can be exploited without taking app permissions, so there will be little to inform phone users that something might be wrong The first Strandhogg, however, can be easily detected using Google's own Play Protect software

Strandhogg 20 is not Malware that exploits it may get past even the best Android antivirus apps A perfectly harmless app might later be updated to exploit Strandhogg 20 and fool Google Play

Promon researchers notified Google of the Strandhogg 20 flaw on December 4, 2019, and Google confirmed the severity of the flaw five days later However, it took Google nearly five months to fix the vulnerability, and Promon gave Google a break by extending the 90-day disclosure deadline twice