Webull Investing and Trading App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in the Webull Investing & Trading App version 11.2.5.63 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, allowing malicious apps to inherit permissions from vulnerable ones. The vulnerability affects all Android versions prior to Android 11 and can be exploited locally. Once exploited, it could lead to significant risks, such as phishing attacks to steal login credentials or sensitive information from users.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate one, potentially leading to the theft of sensitive information or unauthorized access to user permissions.

Reproduction

To reproduce this vulnerability, a malicious app must be created and configured to hijack tasks from the Webull app. This involves setting the taskAffinity attribute to match that of the Webull app in the AndroidManifest.xml. Once the malicious app is installed, it can be used to hijack the Webull app when it is opened, replacing its activity with that of the malicious app, which can then phish for personal information or request permissions from the user.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities in the AndroidManifest.xml to a randomly generated value or enforce a specific task affinity for all activities in the application.