Task hijacking protection

An essential element of Android is multitasking between applications. However, unlike on a desktop computer, multitasking does not mean that multiple processes are running at the same period of time, but rather "a collection of activities that users interact with when performing a certain job". See Tasks and Back Stack on the Android Developer Documentation site for more details on tasks and back stack.

A task is essentially the back-stack of activities, and it is closely related to the Recents screen (also known as the Overview screen or recent apps). This is a stack that essentially defines the navigation state and history of an app, which is invoked when clicking the back button on the device, to determine what activity should be restored. See Recents Screen on the Android Developer Documentation site for more details.

On Android, activities from different apps are allowed to reside in the same task, such as opening a link from your email app, which will open a browser in the same task. When pressing the back button, the user will return back to their email application view.

These tasks have an internal ID that is referred to as taskAffinity. This is a string value which is by default set to the same as the app PackageName.

Malware can set the taskAffinity of an activity to the PackageName of a target app and, by doing so, can hijack tasks belonging to the target app. In practice, this means that the user may click the target app icon in the launcher, but instead of seeing the target app’s activity, malware activity is shown. Apps can define several distinct activities with distinct taskAffinity values which allows malware to target a wide suite of applications.

App Shielding can detect and block such hijacking attempts.