UAB Paytend App Task Hijacking Vulnerability in Android Manifest

A task hijacking vulnerability has been identified in the UAB Paytend App for Android, affecting versions through 2.1.9. The issue arises from improper configuration in the AndroidManifest.xml file of the component com.passport.cash, leading to the incorrect export of application components. This vulnerability allows malicious apps to inherit permissions from vulnerable ones, commonly used to phish for login credentials. The vulnerability impacts all Android versions prior to Android 11 and requires local exploitation.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task, potentially leading to the theft of sensitive information from the user.

Reproduction

To reproduce this vulnerability, a malicious app must be created and installed on the victim's device. This app should be configured to hijack a task from the Paytend app by setting the taskAffinity attribute to match that of the target app. Once the malicious app is used, it will intercept the task of the Paytend app, presenting a phishing interface instead of the legitimate one, thereby tricking the user into divulging personal information or granting permissions to the malicious app.

Remediation

Users can mitigate this vulnerability by updating to a version of the UAB Paytend App that is not affected. Additionally, developers should set the taskAffinity property of application activities to a randomly generated value or enforce a specific taskAffinity setting across all activities in the AndroidManifest.xml.