Seismic App Task Hijacking Vulnerability in Android 2.4.2

A task hijacking vulnerability has been identified in Seismic App version 2.4.2 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file of the com.seismic.doccenter component. The vulnerability allows malicious apps to inherit permissions from vulnerable ones, typically for phishing purposes. This issue affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task, potentially leading to the theft of sensitive information from the user.

Reproduction

To reproduce this vulnerability, a malicious app must be created and installed on the victim's device. This app should be configured to hijack a task from the Seismic App by setting the taskAffinity attribute to match that of the target app. Once the malicious app is opened, it will take over the task of the Seismic App, allowing it to display a phishing page and collect personal information from the user.

Remediation

Users can mitigate this vulnerability by setting the taskAffinity property of the application's activities to an empty string in the AndroidManifest.xml file, forcing the activities to use a randomly generated task affinity. Alternatively, this can be set at the application tag level to apply to all activities.