Weee RICEPO App Task Hijacking Vulnerability in Android Manifest Misconfiguration

A task hijacking vulnerability has been identified in the Weee RICEPO App version 6.17.77 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file of the com.ricepo.app component. The vulnerability allows malicious applications to inherit permissions from the RICEPO app, potentially leading to phishing attacks by manipulating user interactions with the app. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over tasks from the RICEPO app, leading to unauthorized access to permissions and sensitive information.

Reproduction

To reproduce this vulnerability, a malicious app must be created and uploaded to a device. This app should be designed to hijack tasks from the RICEPO app by exploiting the improper component export in the AndroidManifest.xml. Once the malicious app is installed, it can be used to Phish credentials from the victim by manipulating the task stack and presenting a fake interface of the RICEPO app.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities in the AndroidManifest.xml to a randomly generated value or enforce a specific task affinity that does not overlap with other applications.