Using Task Affinity to launch Denial-of-service or Phishing attacks in Android
Activity, Task, and Task Affinity
The activities of an Android app is what the user sees on the screen of the device and uses to interact with the app. Android starts an activity in a task based on the activity's task affinity, which is a string identifier. All activities with the same task affinity are started in the same task.
How does Android’s task stack work?
Launcher Activities in Android apps are started when the user launches the app from the app launcher (or a shortcut on the Home screen). If no task exists for the app (the app has not been used recently), then a new task is created and the launcher activity for the app opens as the first activity in the task's stack. If the task exists then Android will not create the launcher activity, but will bring the existing task to the foreground and will display the activity at the top of this task's stack.
What is the vulnerability?
An activity M, a launcher activity of a Malicious app, can use task affinity to start in the same task of a Benign app.
How can a Malicious app launch a phishing attack?
The launcher activity of a Malicious app can set its task affinity to the launcher activity of any app X installed on the device e.g., Gmail. Suppose the launcher activity M of a Malicious app is started before the launcher activity of X. When the user starts the launcher activity of app X, activity M will be displayed instead of the launcher activity of app X. The Malicious app can be designed such that when activity M is displayed the second time to the user, activity M will look like the launcher activity of app X. The user will be made to believe that she is interacting with the launcher activity of app X when in reality she is interacting with activity M.
We created a Benign app and a Malicious app to test this vulnerability. We tested the vulnerability against Android API Levels 19, 21, 22, 23, 24, and 25 on an emulator. We could successfully exploit the vulnerability on all the API Levels except 21. We could also successfully exploit the vulnerability on Android devices running Android 5.1 (API Level 22), Android 6.0.1 (API Level 23), Android 7.1.1 (API Level 25).
This result seems to suggest an inconsistency between API Level 21 and other API Levels. Further, an older version of Android seems to be more secure than the newer versions of Android with respect to this vulnerability.
Here are the various various possibilities with task affinity that we considered while developing this benchmark.
The table has 5 columns:
- Constraint describes how the task affinity of the activities are related.
- Scenario describes the actions taken by the user.
- Task Stack describes how activities are arranged in a task in Android.
- Displayed Activity lists the activity that is shown to the user.
- Expected Activity lists the activity the user expects to see. [ToS = Top of Stack]
TaskAffinityBL and TaskAffinityML are the task affinities of launcher activities in Benign and Malicious, respectively. TaskAffinityB and TaskAffinityM are the task affinities of non-launcher activities in Benign and Malicious, respectively.
|Constraint||Scenario||Task Stack||Displayed Activity||Expected Activity|
|TaskAffnityBL = TaskAffnityB = TaskAffinityML = TaskAffinityM||User launches Malicious and reaches activity M then launches Benign||ML -> M (ToS)||M||BL|
|TaskAffnityBL = TaskAffnityB = TaskAffinityML = TaskAffinityM||User launches Malicious and then launches Benign||ML (ToS)||ML||BL|
|TaskAffnityBL = TaskAffnityB = TaskAffinityML = TaskAffinityM||User launches Benign and launches Malicious||BL (ToS)||BL||ML|
|TaskAffnityBL = TaskAffnityB = TaskAffinityML = TaskAffinityM||User launches Benign, and reaches activity B and then launches Malicious||BL -> B (ToS)||B||ML|
|TaskAffnityBL = TaskAffnityB = TaskAffinityML ≠ TaskAffinityM||User launches Malicious and reaches activity M then launches Benign||ML -> M (ToS)||M||BL|
|TaskAffinityBL ≠ TaskAffnityB = TaskAffnityML = TaskAffinityM||User launches Malicious and reaches activity M then launches Benign||ML -> M (ToS),BL (ToS)||BL||BL|
|TaskAffinityBL ≠ TaskAffnityB = TaskAffnityML = TaskAffinityM||User launches Malicious and then launches Benign||ML (ToS),BL (ToS)||BL||BL|
How to mitigate this issue?
There is an easy way to secure an app against this vulnerability. The developer of a benign app can set the task affinity of all activities to “”(empty string) in the
application tag of AndroidManifest.xml to indicate the activities of the benign app do not have affinity to any task. These activities will be assigned a unique task affinity that is unknown a priori, determined at run time, and not shared among apps. Hence, activities in other apps cannot request the same task affinity as that of the activities in the benign app. This mitigates the vulnerability.
- Aditya Narkar
- Joydeep Mitra
- Venkatesh-Prasad Ranganath