Task Hijacking vulnerability caused by inappropriate taskAffinity settings in the Realink Android applaunchMode= "singleTask", but you have not explicitly changed the taskAffinity attribute that specifies the task preference. This allows malicious apps to hijack the task of the Reolink app by using the same taskAffinity as the package name of the same Reolink app. If successful, a malicious app's screen will be displayed first when the user runs the normal Reolink app, which can lead to damage such as stealing user account information and obtaining malicious privileges.Android 10 and belowlaunchMode="singleTask"in AndroidManifest.xmltaskAffinity does not have an explicit settingThis attack is carried out through a malicious application installed locally. The attacker exploits a configuration vulnerability in the AndroidManifest.xml of the reolink app to hijack the Task by displaying a crafted malicious Activity instead of the intended one when the user launches the legitimate app.
The key to the attack lies in the MainActivity settings within the AndroidManifest.xml file of the Realink app.
<activity
android:name="com.android.bc.MainActivity"
android:exported="true"
android:launchMode="singleTask"
android:screenOrientation="portrait"
android:configChanges="screenSize|orientation|keyboardHidden"
android:windowSoftInputMode="adjustPan|stateAlwaysHidden">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="@string/scheme_for_launch_app"/>
</intent-filter>
</activity>
The two conditions in the code are combined to create a vulnerability.