Genshin Albedo Cat House Task Hijacking Vulnerability in Android App

A task hijacking vulnerability has been identified in the Genshin Albedo Cat House App version 1.0.2 for Android. This issue arises from a misconfiguration in the AndroidManifest.xml file of the component com.house.auscat, leading to improper export of application components. As a result, malicious apps can inherit permissions from vulnerable ones, potentially allowing for phishing attacks to steal login credentials. This vulnerability affects all Android versions prior to Android 11, and requires local access to exploit.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task, leading to unauthorized access to sensitive information. This could include personal data or credentials, by manipulating the user into granting permissions or entering information under the guise of the legitimate app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches that of the target app. Once installed, the malicious app can hijack the task of the legitimate app, redirecting the user to a phishing activity designed to capture personal information or credentials.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities in the AndroidManifest.xml file. This can be done by assigning a value that forces activities to use a randomly generated task affinity, or by setting a specific value at the application tag to apply to all activities.