Key Information Vulnerability Description Vulnerability Type: Android Manifest Misconfiguration leading to Task Hijacking Affected Application: Huuge Box app (com.huuge.game.zjbox) Reproduction Steps 1. User downloads a malicious application. 2. User uses the malicious application. 3. User launches the victim application, but instead sees a phishing activity from the malicious app, not the original app’s activity. 4. User mistakenly believes they are using the victim application, enters personal information, resulting in account information leakage or granting permissions to the malicious app. Principle Since most applications do not set the attribute, it defaults to the package name. Attackers can set the same as the target application, creating an identical task stack and placing it at the root of the task stack. When the user launches the victim application, the malicious app’s phishing page is actually launched instead. Mitigation Measures In , set the attribute of application activities to a randomly generated value or an empty string to prevent all activities from sharing the same task stack. Attacker Code Example AndroidManifest.xml: MainActivity.java: Impact Due to incorrect Android manifest configuration, attackers can perform task hijacking attacks via malicious applications, leading to theft of sensitive information. Reference Links Medium Article