Huuge Box App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Huuge Box App version 1.0.3 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the component com.huuge.game.zjbox. The vulnerability allows malicious applications to inherit permissions from vulnerable ones, creating opportunities for phishing attacks by manipulating or taking over tasks on the device. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over a legitimate app's task and permissions. This could lead to phishing attacks, where sensitive information is stolen under the guise of the legitimate app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity that matches the vulnerable app's package name. Once installed, this malicious app can hijack the task of the Huuge Box app, redirecting the user to a phishing activity designed to capture personal information or permissions.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities to an empty value in the AndroidManifest.xml, forcing the activities to use a randomly generated task affinity. Alternatively, this can be set at the application tag level to apply to all activities.