An Android task is a collection of activities that users interact with when performing a certain job. Activities from different apps can reside in the same task which might be used to relocate a malicious activity to your application's task by manipulating the following parameters:
- Task Affinity controlled by attribute
- Task Reparenting controlled by attribute
Task Affinity is an activity attribute defined in the
<activity> tag in the
Task Affinity specifies which task that the activity desires to join. By default, all activities in an app have the
same affinity, which is the app package name.
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="co.secureApp.app"> <application> <activity android:name=".ActivityA"></activity> <activity android:name=".ActivityB" android:taskAffinity="co.ostorlab.Myapp:taskB"></activity> </application> </manifest>
allowTaskReparenting when set to
true for an activity A, and when a new task with the same affinity is brought to
the front, the system moves the relocatable activity A from its original hosting task to the new foreground task
Task Hijacking attacks come in different flavors:
Task Affinity Control: application has a package name
com.mySecureApp.appand activity A1. A malicious application has two activities M1 and M2 where
M2.taskAffinity = com.mySecureApp.appand
M2.allowTaskReparenting = true. If the malicious app is open on M2, once you start your application, M2 is relocated to the front and the user will interact with the malicious application.
Single Task Mode: the application has set launch mode to
singleTask. A malicious application with
M2.taskAffinity = com.mySecureApp.appcan hijack the target application task stack.
Task Reparenting: application has set
true. A malicious application can move the target application task to the malicious application stack.
Task hijacking can be used to perform phishing, denial of use attack, and has been exploited in the past by banking malware trojans. New flavors of the attacks (StandHogg 2.0) are extremely hard to detect, as they are code-based attacks.
Task hijacking has been addressed in Android version 11 as a part of a fix of
Different forms of Task Hijacking vulnerabilities require different fixes:
- Set the task affinity of the application activities to
""(empty string) in the
<activity>tag of the
AndroidManifest.xmlto force the activities to use a randomly generated task affinity, or set it at the
<application>tag to enforce on all activities in the application.
singleInstanceensure that no other activities will be created in the same task.
Do not specify launch mode set to
singleTaskor add support for a monitoring service to detect the presence of malicious foreground tasks.
Do not set the flag
FLAG_ACTIVITY_NEW_TASKin activity launch intents, or use with the
Intent i = new Intent(this, AnActivity.class); i.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); i.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); startActivity(i);
Do not specify
taskAffinityor add support a monitoring service to detect the presence of malicious foreground tasks.
Prefer the use of Explicit intent, which specify which application will satisfy the intent, by supplying the target application package name or a fully-qualified component class name. Implicit intent only specifies the general action.
- Understand Tasks and Back Stack - Android Documentation
- Towards Discovering and Understanding Task Hijacking in Android
- StrandHogg Attack
- StandHogg Attack 2.0
- Task Hijacking exploited by Mobile Banking Malware
- CVE-2020-0267: WindowManager Confused Deputy