StrandHogg is an Android vulnerability in which malicious applications exploit its multitasking system to display falsified applications like legitimate ones on devices running Android OS.
A user opens a banking app. A malicious app can intercept this action and display a fake login screen identical to what would be found within a banking application. Unknowingly, users enter their credentials that are then transmitted to an attacker.
What is an “Activity”?
An Activity represents a single, focused UI component that the user can interact with. Each screen in an app is typically one activity.
Activity Example:
1. A login screen is one activity.
2. A dashboard screen is another activity.
3. A settings page is a third activity.
What is a “Task”?
Tasks are defined as any set of activities users engage in to perform an action or workflow.
Task Example:
Every time a user completes activities like Login, Dashboard and Settings Page, they are performing an action and fulfilling a task.
Android tasks are collections of activities designed to accomplish one specific action or workflow.
What is a “Back Stack”?
The Back Stack is a stack (last-in, first-out) of activities that have been launched in a task.
Back Stack Example:
Let’s assume that user is performing a task where he navigates to “activity1: Loginpage”.
User authenticates and was redirected to another activity “activity2: Dashboard”.
Then user clicks on setting button and was redirected to third activity “activity3: Settings”.
When user press back button, he goes from activity3 -> activity2 ->activity1
Now what is a back stack?
1) User is performing a task where he navigates to “activity1: Loginpage”
BackStack: Loginpage
2) User authenticates and was redirected to another activity “activity2: Dashboard”
BackStack: Loginpage –> Dashboard
3) User clicks on setting button and was redirected to third activity “activity3: Settings”
BackStack: Loginpage –> Dashboard –> Settings
4) Users press back button and was redirected to previous activity “activity2: Dashboard”
BackStack: Loginpage –> Dashboard
5) Users press back button and was redirected to previous activity “activity1: Loginpage”
BackStack: Loginpage
Explanation:
Activities: There are four activities in the app MainActivity as the root activity, and LoginActivity, DashboardActivity, and SettingsActivity as other activities.
Task: These activities together form a task, and as the user navigates through them,
Back Stack: The back stack stores the history of these activities, allowing the user to navigate back through the task.
What is taskaffinity?
TaskAffinity in Android is used to determine which task an activity belongs to. By setting a custom taskAffinity, activities can be placed in separate tasks. <activity android:taskAffinity=””/>
Example TaskAffinity:
Explaination:
1) LoginActivity uses taskAffinity=”com.example.loginTask”
2) MainActivity uses taskAffinity=”com.example.mainTask”
Which confirms both have seperate task
This setup ensures that when the user logs out from MainActivity and presses back, they won’t be automatically logged in because the login process runs in a separate task
Launch mode are used to launch and manage activity in a android application
Four types of launch mode:
1) Standard: A new instance of the activity is created every time it is launched
2) SingleTop: If the activity is already at the top of the task stack, it is reused, or else new instance is created
3) Single Task: A login activity is set as singleTask to ensure only one instance is running in the task at a time
4) Single Instance: The activity is launched in a new task, and it is the only activity in that task, preventing any other activities from being added to it.
1) Launch Mode: Decompile the application using tools like ApkTool or jadx-gui. Locate the AndroidManifest.xml file and check for activities with android:launchMode=”singleTask”
2) Minimum SDK Version: In the same AndroidManifest.xml file, check the android:minSdkVersion. If it is less than 30, the application may not have protections against task hijacking vulnerabilities
Launch the Jadx-GUI tool on your system. If not installed, download and install it from Jadx GitHub Repository.
Drag and drop the target APK file into the Jadx-GUI interface
In the left-hand navigation pane, expand the Resources folder. Click on the AndroidManifest.xml file to view its content.
Look for the <uses-sdk> tag and check the android:minSdkVersion attribute. Confirm if its value is less than 30. Next Locate the <activity> tags and check if the android:launchMode attribute is set to singleTask
To dive deeper into how this vulnerability can be exploited, check out this blog: Task Hijacking (StrandHogg) Vulnerability Part 2
Malicious apps often employ techniques like taskAffinity in order to trick users. By opening these applications, users may unknowingly interact with harmful ones as part of their experience.
Task Affinity vulnerabilities allow attackers to hijack legitimate user actions by bypassing security measures and gaining unauthorized access to sensitive information.
To protect against such attacks, developers can set taskAffinity to an empty string and select singleInstance launch mode to ensure their app’s isolation from others. Customizing onBackPressed() provides extra protection against task hijacking.
Update Android SDK version 30 or later (Android 11) to address this vulnerability. These versions include OS patches that help mitigate it.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
Join us on our journey of growth and development by signing up for our comprehensive courses.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
info@redfoxsec.com
©️2025 Redfox Cyber Security Inc. All rights reserved.
