android
task hijacking bug
Task stack hijacking affects apps with startup modes of singletask and standard
We hijacked the task stack of the application by setting the same taskAffinity. When the user clicks on the application, what is actually displayed is the activity of the attack application we wrote (there is no interface switching process in the entire process, which is very hidden and difficult for the user to discover). By designing the activity in this way, we can mimic the login interface of the application, induce the user to log in, and steal the user's private password information
Reproduction method: Write an attack application that hijacks the application's task stack by setting the taskAffinity attribute to the package name of soul Expected behaviour Repair plan
Set the taskAffinity property of the application's activity to empty
When the APP is initially enabled, check whether the number of front-end tasks in the activity stack is greater than the initial set value. If it is greater than the initial set value, it is necessary to draw the user's attention to the possibility of disguised malicious attacks in the future. Do not output sensitive information on the page
Example code:
val activityManager = getSystemService(ACTIVITY_SERVICE) as ActivityManager
val appTasks: List = activityManager.getAppTasks()
if (appTasks.isNotEmpty()) {
Val initial Activity Count=5//Assuming that the initial set number of front-end task activities is 5
val taskInfo: RecentTaskInfo = appTasks[0].taskInfo
val numActivities: Int = taskInfo.numActivities
if (numActivities > initialActivityCount) {
//If the number of activities in the current front-end task is greater than the initial set value, a Toast prompt will pop up to remind the user to pay attention to safety
Toast.makeText (this, "Warning: The current front-end task has an abnormal number of activities, which may pose a security risk. Please be careful not to enter sensitive information on subsequent pages! ", Toast.LENGTH_LONG).show()
}
}
The specific attack video has been attached
Hi @yssssyy
Thanks for bringing this to our attention and for sharing the detailed explanation and reproduction steps — this is a well-known class of task hijacking attacks that can be particularly dangerous for apps using launchMode="singleTask" or launchMode="standard" with non-empty or misconfigured taskAffinity.
Summary Malicious apps can spoof legitimate activities by:
Declaring the same taskAffinity as the target app.
Inserting their own activity into the task stack.
Appearing seamlessly when the user reopens the original app, tricking them into entering sensitive data (e.g., passwords).
Recommended Fixes for Developers To mitigate this risk, we strongly recommend:
Set taskAffinity="" explicitly in all exported activities unless a different behavior is intentionally required.
<activity android:name=".MainActivity" android:taskAffinity="" /> Avoid singleTask or singleInstance launch modes unless absolutely necessary. Prefer standard or singleTop.
Validate task integrity on resume, especially in sensitive screens. Your approach using ActivityManager.getAppTasks() is a practical runtime defense.
Your sample logic:
val activityManager = getSystemService(ACTIVITY_SERVICE) as ActivityManager val appTasks = activityManager.appTasks val suspiciousThreshold = 5
if (appTasks.isNotEmpty()) { val numActivities = appTasks[0].taskInfo.numActivities if (numActivities > suspiciousThreshold) { Toast.makeText(this, "Warning: Unusual activity stack detected. Avoid entering sensitive data.", Toast.LENGTH_LONG).show() } } Use FLAG_SECURE and integrity checks if your app handles confidential information.
Note to Framework Team (If you're submitting this to an Android project): This highlights the need for improved system-level protections (e.g., runtime detection or warnings in the system UI when unusual taskAffinity overlaps are detected). Also, documentation for taskAffinity might benefit from stronger guidance around potential abuse.
Thanks again for this responsible disclosure. We'll review the attached video and consider adjustments in documentation or sample templates to promote secure taskAffinity usage.
