Dunamu StockPlus App Improper Export of Android Application Components Vulnerability

A vulnerability allowing task hijacking has been identified in the Dunamu StockPlus App for Android, in versions through 7.62.10. This issue arises from an improper export of application components, specifically within the AndroidManifest.xml file of the com.dunamu.stockplus component. The vulnerability allows malicious apps to inherit permissions from vulnerable apps, potentially leading to phishing attacks by manipulating or taking over tasks on the device.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over tasks of the vulnerable app, inheriting its permissions. This could be used to phish for login credentials or manipulate the user in other ways.

Reproduction

The vulnerability can be reproduced by creating a malicious app that targets the Dunamu StockPlus App. This malicious app can then inherit permissions from the vulnerable app, allowing it to access sensitive data or perform actions on behalf of the user. This exploitation can be automated with a public proof-of-concept exploit available on GitHub.