Cool Mo Maigcal Number App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Cool Mo Maigcal Number App versions 1.0.0 through 1.0.3 on Android. This vulnerability arises from an improper export of application components in the AndroidManifest.xml file of the com.sdmagic.number component. The misconfiguration allows malicious apps to inherit permissions from vulnerable apps, potentially leading to phishing attacks by manipulating or taking over tasks in Android.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task and permissions. This could be used to phish for sensitive information from the user or to manipulate app functionalities.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches the vulnerable app's package name. Once installed, the malicious app can hijack the task of the legitimate app, leading to a phishing scenario where the user is deceived into providing personal information.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities to an empty value or enforce a random task affinity across all activities in the AndroidManifest.xml.