Key Information Vulnerability Description Vulnerability Type: Task Hijacking caused by Android Manifest Misconfiguration. Affected Application: Rejseplanen app (de.hafas.android.rejseplanen). Impact Scope: All Android versions prior to Android 11. Reproduction Steps 1. User downloads a malicious application. 2. User launches the malicious application. 3. User launches the victim application; however, the displayed activity is not the original activity of the victim app, but a phishing activity from the malicious app. 4. User mistakenly believes they are using the victim application and enters personal information or grants permissions to the malicious app. Principle Exploits the fact that is either not set or defaults to the package name. Attackers can set the same as the victim application. When the malicious activity is launched, it creates a task stack identical to that of the victim application and positions itself at the root of the task stack. When the victim application is launched, its task is brought to the foreground, followed by the malicious activity also being brought to the foreground. The user sees the malicious activity instead of the original one. Mitigation Measures Set the attribute to an empty string in , forcing all activities to use randomly generated task affinities. Alternatively, set the attribute within the tag to enforce this for all activities in the application. Attacker Code Example Video Proof of Concept Demonstrates that after executing the malicious program, the task is successfully hijacked. When the victim application is launched, the malicious application is actually opened instead.