Canara Bank Canara ai1 Mobile Banking App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in the Canara ai1 Mobile Banking App version 3.6.23 for Android. This vulnerability arises from an improper export of application components in the AndroidManifest.xml file of the com.canarabank.mobility component. The misconfiguration allows malicious apps to inherit permissions from vulnerable apps, potentially leading to phishing attacks by manipulating or taking over tasks in Android. This issue affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task and permissions. This could be used to phish for sensitive information, such as login credentials, by deceiving the user into thinking they are interacting with the legitimate app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity value that matches the package name of the Canara ai1 app. Once this app is installed on a device, it can hijack the task of the Canara ai1 app by exploiting the misconfiguration in the AndroidManifest.xml. This can be demonstrated by using the malicious app to initiate a task that overlaps with the Canara ai1 app, effectively replacing its activity with a phishing interface.

Remediation

To mitigate this vulnerability, the taskAffinity property of the application's activities should be set to an empty value in the AndroidManifest.xml. This change forces the activities to use a randomly generated task affinity, preventing the hijacking of tasks by malicious apps.