Key Information Vulnerability Description Vulnerability Type: Android Manifest Misconfiguration leading to Task Hijacking Affected Application: Idnow Online app (de.idnow) Impact Scope: All Android versions prior to Android 11 Reproduction Steps 1. User downloads a malicious application. 2. User uses the malicious application. 3. User launches the victim application; however, the displayed activity is not the original activity of the victim app, but rather a phishing activity from the malicious app. 4. User mistakenly believes they are using the victim application (while actually interacting with the malicious app), enters personal information, resulting in account information leakage or granting permissions to the malicious application. Principle Since most applications do not set the attribute, it defaults to the package name. Attackers can set the same as the target application’s package name. When the malicious activity is launched, it creates a task stack identical to the victim application’s and places itself at the root of the task stack. When the user opens the victim application, the malicious activity at the root of the task stack is brought to the foreground, thereby achieving task hijacking. Mitigation Measures In the file, set the attribute for application activities to (empty string), forcing all activities to use randomly generated task affinities. Alternatively, apply this setting within the tag to enforce it for all activities in the app. Attacker Code Example Provides sample and code for the malicious application. Impact Due to incorrect Android manifest configuration, task hijacking attacks may be executed. Attackers can create malicious mobile applications to hijack legitimate applications and steal sensitive information potentially available after installation on the device. References Medium Article