The “Affinity” of Android tasks seems really complex to handle. The StrandHogg vulnerability uses tricks with “Affinity” to render itself inside an another app.
The information that I’ve found this far does not provide exact details of vulnerability but as far as I know there is not a technical vulnerability but a poorly designed API which allows for clever social engineering attacks.
Is there a real use case for the API behavior that StrandHogg uses?
If I have understood correctly, the API the vulnerability uses allow attacker to place its own Activity on the victim “Back stack”. From reading the API description and the provided example cases the main intent of this API is to allow embedded activities from other apps to be displayed within your own task. However, the StrandHogg vulnerability seems to the other way around: using API to push your own activity over another task’s “Back stack”.
My best guess is that the attack uses the weird behavior described on page 100 of presentation called “Manipulating Android tasks and back stack” from year 2011. However, I cannot imagine any sensible use case for the behavior described.