The principles behind the technique are described in the paper by researchers at the University of Würzburg with the title “RIP StrandHogg: A Practical Detection Method on Android”¹.

The numActivities attribute of the TaskInfo class is a good indicator that helps detecting malicious activity injection, as the number of activities will increase with the new activity being added to the task. While the getRunningTasks method is deprecated in Android 5.0, it continues working up till Android 10, which provides the necessary coverage for task hijacking attacks.

The method poses several challenges that require a relatively complex implementation in the app:

1. Resource efficiency—The method requires background monitoring, which may be resource-intensive.
2. Requires at least one activity—The numActivities attribute is only a reliable indicator if the app has at least one activity running (open or minimized).
3. Requires keeping track of open activities—As the application opens other activities, the expected number of activities will change, which has to be taken into account in the detection code.

The complete detection algorithm is as follows:

Activities count countermeasure algorithm