architecture-samples icon indicating copy to clipboard operation
architecture-samples copied to clipboard
verified publisher icon android

[BUG]StrandHogg2.0 Restoration suggestions

Open 1pear1 opened this issue 8 months ago • 1 comments

[Vulnerability Title] Domain name and scope affected by the vulnerability, parameters involved, vulnerability type, etc. Vulnerability Type: Android Task Stack Hijacking Affected Scope: Applications with standard startup mode

[Vulnerability Description] Contains the URL, parameters, application version, etc. involved in the vulnerability The attacker deliberately did not set the FLAG_ACTIVITY_NEW_TASK flag of the disguised page and placed a disguised page in the task stack of the target application. When the user clicks the target application icon, pressing the back key will start the Activity of the malicious application written by the attacker. It is difficult for the user to distinguish between the normal page and the disguised page. The attacker can use this to imitate the login interface of the target application and induce the user to enter the account and password, thereby stealing the user's private information.

[Reproduction method] Describe the vulnerability reproduction sequence according to logic. If you use a tool to reproduce the vulnerability, you should provide the tool name.

  1. Write an attack application and set the target application package name and activity name.
  2. Install the attack application on the test device.
  3. Start the target application and observe whether the task stack is successfully hijacked and the activity of the attack application is started.

https://github.com/user-attachments/assets/681ac1c9-a1f0-438d-b5e5-d410d3eecf04 https://github.com/user-attachments/assets/bdd25dd5-d27e-4b42-a8ea-19c808e22f7e

[Proof of exploitation] Contains the vulnerability impact description and the proof of exploitation, which are generally provided in the form of screenshots. The attack application is successfully started. When the user initially starts the APP, pressing the back button will display the counterfeit target application interface. The information entered by the user is captured by the attack application. The specific process is shown in the attachment.

[Repair plan] Provide at least one executable repair suggestion, which can provide code-level repair suggestions or protection strategies.

  1. Without affecting the normal function of the application, try to set android:launchMode="singleTask". When the application is first started, the disguised page will be cleared in the activity stack, so it will not be attacked in this case;
  2. Without affecting the normal function of the application, try to set android:exported="true" to prevent it from being started from an external application;
  3. When the application is started, count the number of activities in the foreground task in the task stack. If the number is greater than the initial setting value, prompt the user that there may be a disguised malicious attack page, and recommend that the user not enter sensitive information.

https://github.com/user-attachments/assets/012bf24b-0358-49fc-afb6-36da03b1cf2c

Sample code: `val activityManager = getSystemService(ACTIVITY_SERVICE) as ActivityManager val appTasks: List<AppTask> = activityManager.getAppTasks()

    if (appTasks.isNotEmpty()) {
        val initialActivityCount = 1
        val taskInfo: RecentTaskInfo = appTasks[0].taskInfo
        val numActivities: Int = taskInfo.numActivities

        if (numActivities > initialActivityCount) {
            Toast.makeText(this, "Warning: The number of activities in the current foreground task is abnormal, which may pose a security risk. Please be careful not to enter sensitive information on subsequent pages!", Toast.LENGTH_LONG).show()
        }
    }`

1pear1 avatar Apr 16 '25 05:04 1pear1

Thank you @1pear1 for this detailed and well-documented report on the StrandHogg 2.0 task hijacking vulnerability and the proposed remediation strategies.

Summary of the Issue You've outlined a task stack hijacking exploit, where a malicious app injects a counterfeit activity into the foreground task stack of a target app. Upon launching the legitimate app, users may unknowingly interact with the attacker's fake UI, allowing credential theft and other sensitive data leaks.

Recommended Actions We agree with the direction of your proposed solutions. Here’s how developers can harden their apps:

Use Safer Launch Modes Set android:launchMode="singleTask" or singleInstance (where appropriate) on sensitive entry-point activities to ensure the system clears unrelated activities from the task stack.

<activity android:name=".MainActivity" android:launchMode="singleTask" /> Prevent External Launches Set android:exported="false" on sensitive activities unless they are intentionally exposed to other apps.

Monitor Task Stack at Runtime Runtime integrity checks, like the one you suggested, are helpful in detecting abnormal task stack depth and warning users appropriately.

val activityManager = getSystemService(ACTIVITY_SERVICE) as ActivityManager val appTasks = activityManager.appTasks

if (appTasks.isNotEmpty()) { val suspiciousThreshold = 1 val numActivities = appTasks[0].taskInfo.numActivities if (numActivities > suspiciousThreshold) { Toast.makeText( this, " Warning: Unexpected activity stack. Please do not enter sensitive information.", Toast.LENGTH_LONG ).show() } } 🔍 Next Steps We’ll evaluate integrating these protections into sample apps and documentation.

The video and POC help demonstrate the real-world applicability of this attack and reinforce the need for secure defaults.

Developers should also review their taskAffinity settings, which can be exploited if not explicitly set.

Thanks again for the responsible disclosure and the detailed mitigation approach. This helps improve security across the Android ecosystem.

VaradGupta23 avatar Jul 15 '25 12:07 VaradGupta23