CVE-2020-0096 Overview
CVE-2020-0096 is a local privilege escalation vulnerability in the Android operating system. The flaw resides in the startActivities method of ActivityStartController.java, where a confused deputy condition allows a malicious application to gain elevated privileges. Exploitation requires no user interaction and no additional execution privileges beyond those granted to a standard installed application. The vulnerability affects Android 8.0, 8.1, and 9, and is tracked internally by Google as Android ID A-145669109. Public reporting later associated this issue with the StrandHogg 2.0 task-hijacking technique, which abuses Android's multitasking system to overlay malicious activities on top of legitimate applications.
Critical Impact
A local application can escalate privileges and impersonate legitimate apps without user interaction, enabling credential theft and unauthorized access to protected resources.
Affected Products
- Google Android 8.0
- Google Android 8.1
- Google Android 9
Discovery Timeline
- 2020-05-14 - CVE-2020-0096 published to NVD
- 2020-05-01 - Google releases fix in the Android Security Bulletin - May 2020
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0096
Vulnerability Analysis
The vulnerability is a confused deputy weakness in the Android Activity Manager. The startActivities method in ActivityStartController.java processes an array of intents used to launch a sequence of activities. The system component performing the launch holds higher privileges than the calling application, but it fails to consistently validate each intent in the array against the caller's identity and permissions.
A malicious app can submit a crafted array of intents that mixes its own activities with activities belonging to other applications or system components. The Activity Manager honors the request using its elevated context, effectively performing actions on behalf of the attacker that the attacker could not perform directly. Public technical write-ups link this primitive to task affinity abuse, where the malicious app hijacks the task stack of a target application and presents its own activities under the identity of the victim.
Root Cause
The root cause is improper authorization within a privileged system service [NVD-CWE-noinfo]. The ActivityStartController accepts batched activity launches and trusts attributes such as task affinity, taskAffinity reuse, and intent targets without re-checking the caller's right to influence those task stacks. This design permits a low-privileged app to manipulate task placement and activity order in ways that confuse both users and the operating system.
Attack Vector
Exploitation is local and requires a malicious application to be installed on the device. The attacker app declares specific task affinity and allowTaskReparenting attributes, then invokes a batched activity start through the affected code path. When the user later launches the targeted legitimate application, the malicious activity appears in the foreground inside the victim's task. The user sees the victim app's identity in the recents view and on the screen, while interacting with attacker-controlled UI. This enables phishing of credentials, capture of permission prompts such as camera, microphone, location, and SMS, and arbitrary execution of code under the impression of a trusted app context.
No verified public exploit code is referenced in the NVD record. The mechanism is described in the Android Security Bulletin - May 2020.
Detection Methods for CVE-2020-0096
Indicators of Compromise
- Installed applications declaring unusual taskAffinity values that match the package names of high-value apps such as banking, email, or authenticator applications.
- Applications using android:allowTaskReparenting="true" combined with activities marked singleTask or singleInstance without a legitimate multitasking use case.
- Unexpected activity transitions in logcat showing foreign activities launched into another app's task stack.
- Sideloaded APKs from non-Play sources requesting sensitive runtime permissions shortly after installation.
Detection Strategies
- Inspect installed packages on Android 8.0, 8.1, and 9 devices for manifest entries that mirror task affinities of unrelated, popular applications.
- Monitor mobile device management (MDM) telemetry for devices running Android security patch levels older than 2020-05-01.
- Use mobile threat defense agents to flag apps that invoke startActivities with intent arrays referencing components outside their own package.
Monitoring Recommendations
- Enforce minimum Android security patch level policies through enterprise mobility management and block enrollment of devices below the May 2020 patch level.
- Centralize mobile telemetry, application inventories, and patch status in a SIEM or data lake to correlate vulnerable device states with user identity and access events.
- Alert on credential entry events following recent app installations, which is consistent with task hijacking phishing.
How to Mitigate CVE-2020-0096
Immediate Actions Required
- Apply the Android security patch level 2020-05-01 or later on all affected Android 8.0, 8.1, and 9 devices.
- Upgrade end-of-life devices that cannot receive the May 2020 patch to a supported Android release.
- Restrict installation of applications from unknown sources through MDM policy.
- Review enterprise-distributed apps for legitimate use of taskAffinity and allowTaskReparenting attributes.
Patch Information
Google addressed CVE-2020-0096 in the May 2020 Android Security Bulletin. Details and source patches are available in the Android Security Bulletin - May 2020. The fix tightens caller validation in ActivityStartController.startActivities so that batched activity launches respect the originating app's privileges and cannot inject activities into another application's task stack.
Workarounds
- Limit app installations to the Google Play Store and trusted enterprise stores until devices are patched.
- Train users to verify the app shown in the recents screen before entering credentials or approving permission prompts.
- For unmanaged Android 8.x or 9 devices, restrict access to sensitive enterprise resources through conditional access policies that require a current patch level.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
