If your Android phone can install Google's May security update, be sure to run the update. [The critical vulnerability, dubbed Strandhogg 2.0, which was revealed yesterday (May 26), can be used to "access private SMS messages and photos, steal victims' login credentials, track GPS movements, track phone conversations and spy on them through the phone's camera and microphone.

Strandhogg 2.0 superficially resembles the previous Strandhogg Android flaw that Promon released in December 2019. Both Strandhogg (the name comes from a Viking term meaning coastal raid) let malware disguise legitimate Android apps and system screens.

As a result, the Facebook username and password might be entered into a fake Facebook app instead of the real one, handing control of the Facebook account to the attacker (unless two-factor authentication is enabled). Or you might give the attacking app permission to use your camera and microphone, allowing it to spy on you.

The good news is that Android 10 phones are not affected by Strandhogg 2.0, and Android 8.0 and 8.1 Oreo and Android 9 Pie were patched with a security update in early May. Also, the flaw has not yet been exploited, but that could change soon.

The bad news is that many phones that are not Google Pixels or Samsung flagship models will not receive the May security patch for several months. older phones running earlier versions of Android will likely will likely never be patched.

Both versions of Strandhogg can be exploited without taking app permissions, so there will be little to inform phone users that something might be wrong. The first Strandhogg, however, can be easily detected using Google's own Play Protect software.

Strandhogg 2.0 is not. Malware that exploits it may get past even the best Android antivirus apps. A perfectly harmless app might later be updated to exploit Strandhogg 2.0 and fool Google Play.

Promon researchers notified Google of the Strandhogg 2.0 flaw on December 4, 2019, and Google confirmed the severity of the flaw five days later. However, it took Google nearly five months to fix the vulnerability, and Promon gave Google a break by extending the 90-day disclosure deadline twice.