Lobby Universe Lobby App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Lobby Universe Lobby App versions through 2.8.0 on Android. This issue arises from an improper export of application components in the AndroidManifest.xml file of the com.maverick.lobby component. The vulnerability allows malicious apps to inherit permissions from vulnerable ones, potentially leading to phishing attacks by manipulating or taking over tasks in Android. The vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task, leading to unauthorized access to the user's data and permissions.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity value that matches the package name of the target app. Once installed, the malicious app can hijack the task of the legitimate app, replacing its activity with a phishing interface that collects sensitive information from the user.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities to an empty value or configure it to enforce a random task affinity for all activities in the application.