Boquan DotWallet App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Boquan DotWallet App version 2.15.2 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the com.boquanhash.dotwallet component. The vulnerability allows malicious applications to inherit permissions from the DotWallet app, potentially leading to phishing attacks by manipulating or taking over tasks in Android. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over a legitimate app's task and permissions. This could be used to phish for sensitive information from the user or to manipulate the user into granting additional permissions to the malicious app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity value that matches the package name of the DotWallet app. Once this malicious app is installed and its activity is launched, it will hijack the task of the DotWallet app when it is opened, presenting the user with a phishing interface instead of the legitimate app's activity.

Remediation

To mitigate this vulnerability, the taskAffinity property of the application's activities should be set to an empty value in the AndroidManifest.xml. This will force the activities to use a randomly generated task affinity, preventing the hijacking attack.