[BUG]StrandHogg2.0 Restoration suggestions #846
Description
🐛 Bug Report
Expected behavior
The attacker deliberately did not set the FLAG_ACTIVITY_NEW_TASK flag of the disguised page and placed a disguised page in the task stack of the target application.
When the user clicks the target application icon, pressing the back key will start the Activity of the malicious application written by the attacker. It is difficult for the user to distinguish between the normal page and the disguised page. The attacker can use this to imitate the login interface of the target application and induce the user to enter the account and password, thereby stealing the user's private information.
The attack application is successfully started. When the user initially starts the APP, pressing the back button will display the counterfeit target application interface. The information entered by the user is captured by the attack application. The specific process is shown in the attachment.
Reproduction steps
- Write an attack application and set the target application package name and activity name.
- Install the attack application on the test device.
- Start the target application and observe whether the task stack is successfully hijacked and the activity of the attack application is started.
Configuration
Version: 2.0.0
Platform: 🤖 Android 9+