SKTLab Mukbee App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in SKTLab Mukbee App version 1.01.196 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the com.dw.android.mukbee component. The vulnerability allows malicious applications to inherit permissions from the vulnerable app, potentially leading to phishing attacks by manipulating user interactions with the app.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over tasks of the Mukbee app, phish for user credentials, and access sensitive information by exploiting the inherited permissions.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches the Mukbee app. Once this app is installed, it can hijack the Mukbee app's tasks by phishing for personal information or prompting the user to grant additional permissions to the malicious app.

Remediation

Users are advised to set the taskAffinity property of application activities in the AndroidManifest.xml to a randomly generated value or to enforce a specific task affinity for all activities in the application.