RiderLike Fruit Crush-Brain App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in RiderLike Fruit Crush-Brain App version 1.0 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file of the com.fruitcrush.fun component. The vulnerability allows malicious applications to inherit permissions from vulnerable ones, potentially leading to phishing attacks by manipulating or taking over tasks within Android. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over a legitimate app's task and permissions. This could be used to phish for sensitive information from the user.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches that of the vulnerable app. Once installed, the malicious app can hijack the task of the legitimate app, presenting a phishing interface to the user.

Remediation

To mitigate this vulnerability, the taskAffinity property of the application's activities should be set to a random value or configured to enforce a specific task affinity across all activities.