Android task hijacking

    Android task hijacking allows a malicious app to inherit the identity of a victim app to execute phishing attacks on users. A fake activity is displayed instead of the real one, which allows the attacking malware to gain access to the users' data.

    Task hijacking attacks are similar to UI injections because they also rely on malicious activities that imitate the real application activities. The difference is that in the case of task hijacking, the malicious activity is displayed not on top of the original activity, but instead of the original activity. The malicious activity is added to the original task, which makes it very hard to detect by an unsuspecting user.

    Examples of task hijacking attacks are:

    Defense techniques

    --- title: Task hijacking attacks --- graph TD all[All malware attacks] --> steal_screen click all href "/mobile-app-security-research-center/malware/overview" "Malware overview" steal_screen[Spy on users' screen] steal_screen --> task[Task hijacking] task --> task_api30{API Level ≥ 30?} task_api30 -- Yes (Android 11+) --> no_need[No need for protection] task_api30 -- No --> task_api29{API Level ≥ 29?} task_api29 -- Yes (Android 10+) --> solutions29([Solutions]) solutions29 --> task_affinity([taskAffinity]) solutions29 --> num_act([numActivities ⭐]) task_api29 -- No --> solutions28([Solutions]) solutions28 --> num_act solutions28 --> single_instance([Single instance launch]) style no_need fill:lightgreen style task_affinity fill:lightgreen style num_act fill:lightgreen style single_instance fill:lightgreen click single_instance href "/mobile-app-security-research-center/malware/single-instance-launch" "Single instance" click task_affinity href "/mobile-app-security-research-center/malware/empty-task-affinity" "Empty task affinity"

     

    Guardsquare

    Table of contents