Voice Changer App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in the Voice Changer App, specifically in versions through 1.1.0. This vulnerability arises from an improper configuration in the AndroidManifest.xml file of the component com.tuyangkeji.changevoice. The misconfiguration allows malicious applications to hijack tasks from legitimate ones, inheriting their permissions and potentially leading to phishing attacks. This issue affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over tasks of a legitimate app, leading to unauthorized access to the legitimate app's permissions and data. This could result in the theft of sensitive information, such as login credentials, or manipulation of the user into granting additional permissions to the malicious app.

Reproduction

To reproduce this vulnerability, a malicious app must be created and configured to hijack tasks from the Voice Changer App. This involves setting the taskAffinity attribute of the malicious app to match that of the Voice Changer App component. Once the malicious app is installed and the task hijacking is successful, the Voice Changer App will inadvertently display the malicious app's activity instead of its own, allowing for phishing attacks or unauthorized access to sensitive information.

Remediation

Users can mitigate this vulnerability by updating to a version of the Voice Changer App that is later than 1.1.0. Additionally, developers should ensure that the taskAffinity property of application activities is set to a randomly generated value or properly configured to prevent unauthorized task hijacking.