Modo Legend of the Phoenix Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Modo Legend of the Phoenix versions through 1.0.5. This issue arises from an improper export of Android application components in the AndroidManifest.xml file of the component com.duige.hzw.multilingual. The vulnerability allows malicious apps to inherit permissions from vulnerable ones, typically for phishing purposes. The exploitation must be done locally, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate one, potentially leading to the theft of sensitive information from the user.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches that of the vulnerable app. Once installed, this malicious app can hijack the task of the legitimate app, replacing its activity with a phishing page designed to capture personal information or induce the user to grant permissions to the malicious app.

Remediation

To mitigate this vulnerability, the taskAffinity property of the application's activities should be set to an empty value in the AndroidManifest.xml, forcing the activities to use a randomly generated task affinity. Alternatively, this can be set at the application tag level to apply to all activities.