Key Information Vulnerability Description Vulnerability Type: Task Hijacking caused by Android Manifest Misconfiguration Affected Application: Cat House app (com.house.auscat) Impact Scope: All Android versions prior to Android 11 Reproduction Steps 1. User downloads a malicious application 2. User launches the malicious application 3. User launches the victim application; however, the displayed activity is not the original activity of the victim app, but rather the malicious application’s activity Principle Exploits the fact that is either not set or defaults to the package name. Attackers can set the same as the target application, thereby creating a task stack identical to that of the victim app. When the victim launches the application, the malicious app’s task stack is brought to the foreground, achieving task hijacking. Mitigation Measures In , set the attribute to a randomly generated task affinity, or set it to an empty string to enforce all activities to use independent task affinities. Attacker Code Example AndroidManifest.xml: MainActivity.java: Impact Due to misconfiguration in the Android manifest file, attackers can exploit task hijacking to create malicious mobile applications, hijack legitimate applications, and steal sensitive information from the device.