coolweather icon indicating copy to clipboard operation
coolweather copied to clipboard
verified publisher icon guolindev

[BUG]StrandHogg2.0 Restoration suggestions

Open 1pear1 opened this issue 8 months ago • 0 comments

[Vulnerability Title] Domain name and scope affected by the vulnerability, parameters involved, vulnerability type, etc. Vulnerability Type: Android Task Stack Hijacking Affected Scope: Applications with standard startup mode

[Vulnerability Description] Contains the URL, parameters, application version, etc. involved in the vulnerability The attacker deliberately did not set the FLAG_ACTIVITY_NEW_TASK flag of the disguised page and placed a disguised page in the task stack of the target application. When the user clicks the target application icon, pressing the back key will start the Activity of the malicious application written by the attacker. It is difficult for the user to distinguish between the normal page and the disguised page. The attacker can use this to imitate the login interface of the target application and induce the user to enter the account and password, thereby stealing the user's private information.

[Reproduction method] Describe the vulnerability reproduction sequence according to logic. If you use a tool to reproduce the vulnerability, you should provide the tool name.

  1. Write an attack application and set the target application package name and activity name.
  2. Install the attack application on the test device.
  3. Start the target application and observe whether the task stack is successfully hijacked and the activity of the attack application is started.

https://github.com/user-attachments/assets/04d49dcb-8c14-416d-862c-cc5e8a272cb4

[Proof of exploitation] Contains the vulnerability impact description and the proof of exploitation, which are generally provided in the form of screenshots. The attack application is successfully started. When the user initially starts the APP, pressing the back button will display the counterfeit target application interface. The information entered by the user is captured by the attack application. The specific process is shown in the attachment.

[Repair plan] Provide at least one executable repair suggestion, which can provide code-level repair suggestions or protection strategies.

  1. Without affecting the normal function of the application, try to set android:launchMode="singleTask". When the application is first started, the disguised page will be cleared in the activity stack, so it will not be attacked in this case;

  2. Without affecting the normal function of the application, try to set android:exported="true" to prevent it from being started from an external application;

  3. When the application is started, count the number of activities in the foreground task in the task stack. If the number is greater than the initial setting value, prompt the user that there may be a disguised malicious attack page, and recommend that the user not enter sensitive information.

https://github.com/user-attachments/assets/d398265b-fc3b-4339-9620-ee50c2e9c8e4

Restoration code: `package com.example.coolweather;

import androidx.appcompat.app.AppCompatActivity;

import android.content.Intent; import android.content.SharedPreferences; import android.database.sqlite.SQLiteDatabase; import android.os.Bundle; import android.preference.PreferenceManager; import android.util.Log; import android.view.View; import android.widget.Button; import android.app.ActivityManager; import android.content.Context; import org.litepal.LitePal; import android.widget.Toast;

import java.util.List;

public class MainActivity extends AppCompatActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);

    SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(this);
    if (prefs.getString("weather", null)!= null){
        Intent intent = new Intent(this, WeatherActivity.class);
        startActivity(intent);
        finish();
    }

    ActivityManager activityManager = (ActivityManager) getSystemService(Context.ACTIVITY_SERVICE);
    final List<ActivityManager.AppTask> appTasks = activityManager.getAppTasks();

    if (appTasks != null && !appTasks.isEmpty()) {
        final int initialActivityCount = 1; // 假设初始设置的前台任务的 Activity 数量为 5
        final ActivityManager.RecentTaskInfo taskInfo = appTasks.get(0).getTaskInfo();
        final int numActivities = taskInfo.numActivities;

        if (numActivities > initialActivityCount) {
            // 如果当前前台任务的 Activity 数量大于初始设置的值,弹出 Toast 提示用户注意安全
            Toast.makeText(this, "Warning: The number of activities in the current foreground task is abnormal, which may pose a security risk. Please be careful not to enter sensitive information on subsequent pages!", Toast.LENGTH_LONG).show();
        }
    }

// ActivityManager activityManager = (ActivityManager) getSystemService(Context.ACTIVITY_SERVICE); // List<ActivityManager.RunningAppProcessInfo> runningProcesses = activityManager.getRunningAppProcesses(); // // int numActivities = 0; // for (ActivityManager.RunningAppProcessInfo processInfo : runningProcesses) { // if (processInfo.importance == ActivityManager.RunningAppProcessInfo.IMPORTANCE_FOREGROUND) { // numActivities += processInfo.pkgList.length; // } // } // // Log.d("MainActivity", "前台任务的 Activity 数量: " + numActivities); } }`

1pear1 avatar Apr 17 '25 15:04 1pear1