Skip to content

TTP-03-010 WP3: Potential phishing

Vulnerability type: TTP-03-010 WP3: Potential phishing via task-hijacking on Android
Threat level: _Medium_

Testing confirmed that the Android app does not offer sufficient protection against task hijacking attacks.

The launchMode for the HomeActvity activity is currently set to singleTask for Android API level 29 and lower, which mitigates task hijacking via StrandHogg 2.0 (https://www.helpnetsecurity.com/2020/05/28/cve-2020-0096/) whilst rendering the app vulnerable via older techniques such as StrandHogg (https://www.helpnetsecurity.com/2019/12/03/strandhogg-vulnerability/) and other techniques documented since 2015 (https://s2.ist.psu.edu/paper/usenix15-final-ren.pdf).

The described vulnerability was patched by Google in March 2019 for Android versions 28 and newer. Since the android app supports devices from Android 5 (API level 21), this renders all users running Android 5-8.1 vulnerable, as well as affecting users running unpatched Android devices. The latter is still common in the modern era.

A malicious app could leverage this weakness to manipulate the way in which users interact with the app. Specifically, this could be instigated by relocating a malicious attacker-controlled activity within the screen flow of the user, which may be useful toward instigating phishing or Denial-of-Service (DoS) attacks, as well as theft of user-credentials.

Affected file: fenix/app/src/main/AndroidManifest.xml

Affected code:

<activity
  android:name=".HomeActivity"
  android:exported="true" android:configChanges="keyboard|
keyboardHidden|mcc|mnc|orientation|screenSize|layoutDirection|
smallestScreenSize|screenLayout"
  android:launchMode="singleTask"
  android:resizeableActivity="true" [...]

To aid understanding of this vulnerability, a demonstration of a potential exploitation scenario was created and can be consulted via a video linked next.

PoC video: https://cure53.de/exchange/97865826534172365/TaskHijacking%20PoC.mov

To mitigate this issue, Cure53 advises implementing a selection of appropriate countermeasures. One potential solution would be to set the task affinity of the exported activities to an empty string via android:taskAffinity="". This forces Android to create a random name which any future attacker would have difficulty predicting. Additionally, setting the launchMode to singleInstance can be encouraged, as this approach enforces the creation of a new task for each activity.

We need a mitigation plan for this issue by the end of February.