AfterShip Package Tracker App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in the AfterShip Package Tracker App for Android, affecting versions through 5.24.1. The issue arises from improper export of application components in the AndroidManifest.xml file of the com.aftership.AfterShip component. This vulnerability allows malicious apps to inherit permissions from vulnerable apps, potentially leading to phishing attacks by manipulating or taking over tasks in Android. The vulnerability is present in all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over tasks from a legitimate application. This could lead to unauthorized access to sensitive information, as the malicious app could impersonate the user within the context of the legitimate app, potentially allowing for phishing attacks or unauthorized data access.

Reproduction

To reproduce this vulnerability, a malicious app must be created and installed on a device with an affected version of the AfterShip Package Tracker App. The malicious app should be configured to hijack tasks from the AfterShip app by setting the taskAffinity attribute to match that of the target app. Once the malicious app is launched, it will take over the task stack of the AfterShip app, allowing it to intercept and manipulate activities, such as creating a phishing scenario to collect sensitive information from the user.

Remediation

Users are advised to update to a version of the AfterShip Package Tracker App that is later than 5.24.1, as the vendor has acknowledged the vulnerability and is working on a fix.