[Vulnerability Title] Domain name and scope affected by the vulnerability, parameters involved, vulnerability type, etc.
Vulnerability Type: Android Task Stack Hijacking
Affected Scope: Applications with standard startup mode

[Vulnerability Description] Contains the URL, parameters, application version, etc. involved in the vulnerability
The attacker deliberately did not set the FLAG_ACTIVITY_NEW_TASK flag of the disguised page and placed a disguised page in the task stack of the target application.
When the user clicks the target application icon, pressing the back key will start the Activity of the malicious application written by the attacker. It is difficult for the user to distinguish between the normal page and the disguised page. The attacker can use this to imitate the login interface of the target application and induce the user to enter the account and password, thereby stealing the user's private information.

[Reproduction method] Describe the vulnerability reproduction sequence according to logic. If you use a tool to reproduce the vulnerability, you should provide the tool name.

1. Write an attack application and set the target application package name and activity name.
2. Install the attack application on the test device.
3. Start the target application and observe whether the task stack is successfully hijacked and the activity of the attack application is started.

https://github.com/user-attachments/assets/681ac1c9-a1f0-438d-b5e5-d410d3eecf04
https://github.com/user-attachments/assets/bdd25dd5-d27e-4b42-a8ea-19c808e22f7e

[Proof of exploitation] Contains the vulnerability impact description and the proof of exploitation, which are generally provided in the form of screenshots.
The attack application is successfully started. When the user initially starts the APP, pressing the back button will display the counterfeit target application interface. The information entered by the user is captured by the attack application. The specific process is shown in the attachment.

[Repair plan] Provide at least one executable repair suggestion, which can provide code-level repair suggestions or protection strategies.

1. Without affecting the normal function of the application, try to set android:launchMode="singleTask". When the application is first started, the disguised page will be cleared in the activity stack, so it will not be attacked in this case;
2. Without affecting the normal function of the application, try to set android:exported="true" to prevent it from being started from an external application;
3. When the application is started, count the number of activities in the foreground task in the task stack. If the number is greater than the initial setting value, prompt the user that there may be a disguised malicious attack page, and recommend that the user not enter sensitive information.

Sample code:
`val activityManager = getSystemService(ACTIVITY_SERVICE) as ActivityManager
val appTasks: List = activityManager.getAppTasks()

    if (appTasks.isNotEmpty()) {
        val initialActivityCount = 1
        val taskInfo: RecentTaskInfo = appTasks[0].taskInfo
        val numActivities: Int = taskInfo.numActivities

        if (numActivities > initialActivityCount) {
            Toast.makeText(this, "Warning: The number of activities in the current foreground task is abnormal, which may pose a security risk. Please be careful not to enter sensitive information on subsequent pages!", Toast.LENGTH_LONG).show()
        }
    }`