Key Information Vulnerability Description Vulnerability Type: Android Manifest Misconfiguration Leading to Task Hijacking Affected Application: Idnow Online app (de.idnow) Reproduction Steps 1. User downloads a malicious application. 2. User interacts with the malicious application. 3. User launches the victim application; however, the displayed activity is a phishing activity from the malicious app, not the legitimate app’s activity. 4. User mistakenly believes they are using the victim application (while actually interacting with the malicious app), enters personal information, leading to account information leakage or being tricked into granting permissions to the malicious app. Principle Since most applications do not set the attribute, it defaults to the package name. Attackers can set the same value as the target application’s package name. When the hijacked activity is launched, it creates a task stack identical to the victim application’s and places itself at the root of the task stack. When the user opens the victim application, the task stack is brought to the foreground, and the hijacked activity is also brought to the foreground, displaying a phishing page instead of the legitimate application’s activity. Mitigation Measures In the file, set the attribute for application activities to a randomly generated task affinity, or set it to an empty string to enforce all activities to use independent task affinities. Attacker Application Code AndroidManifest: MainActivity: Impact Due to misconfiguration in the Android manifest file, task hijacking attacks are possible. Attackers can create malicious mobile applications to hijack legitimate applications and steal potentially sensitive information from the device. References Medium Article