Activities count check

      Technique summary
    Technique Activities count check
    Against Task hijacking
    Limitations None
    Side effects Resource intensiveness
    Recommendations Recommended to counter task hijacking attacks.

    The principles behind the technique are described in the paper by researchers at the University of Würzburg with the title “RIP StrandHogg: A Practical Detection Method on Android”1.

    The numActivities attribute of the TaskInfo class is a good indicator that helps detecting malicious activity injection, as the number of activities will increase with the new activity being added to the task. While the getRunningTasks method is deprecated in Android 5.0, it continues working up till Android 10, which provides the necessary coverage for task hijacking attacks.

    The method poses several challenges that require a relatively complex implementation in the app:

    1. Resource efficiency—The method requires background monitoring, which may be resource-intensive.
    2. Requires at least one activity—The numActivities attribute is only a reliable indicator if the app has at least one activity running (open or minimized).
    3. Requires keeping track of open activities—As the application opens other activities, the expected number of activities will change, which has to be taken into account in the detection code.

    The complete detection algorithm is as follows:


    Activities count countermeasure algorithm

    1. Jasper Stang, Alexandra Dmitrienko, Sascha Roth. "RIP StrandHogg: A Practical Detection Method on Android". WiSec '21: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks. June 2021


    Table of contents