Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Attack Patterns (CAPEC)
CAPEC-501

CAPEC-501: Android Activity Hijack

Detailed attack pattern

Draft

CAPEC-501: Android Activity Hijack

An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.

Last updated June 1, 2026

Medium

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-501 (Android Activity Hijack) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Find an android application that uses implicit intents] Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.
Step 2
Experiment
[Create a malicious app] The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.
- Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter
Step 3
Experiment
[Get user to download malicious app] The adversary must get a user using the targeted app to download the malicious app by any means necessary
Step 4
Exploit
[Gather sensitive data through malicious app] Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.
- Gather login information from a user using a malicious app

What the attacker needs

Prerequisites

The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity.

Skills required

High skill: The adversary must typically overcome network and host defenses in order to place malware on the system.

Resources required

Malware capable of acting on the adversary's objectives.

Consequences

What a successful CAPEC-501 attack can achieve.

Read Data

Affects: Confidentiality

How to mitigate it

Defenses that reduce the risk of CAPEC-501.

To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).
Never use implicit intents for inter-application communication.

Related weaknesses

The CWE weaknesses that CAPEC-501 exploits.

CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

Related attack patterns

How this attack relates to others in the CAPEC hierarchy.

Parent

CAPEC-173: Action Spoofing
CAPEC-499: Android Intent Intercept

Frequently asked questions

Common questions about CAPEC-501.

What is CAPEC-501?

An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.

How does a Android Activity Hijack attack work?

It typically unfolds over 4 phases. It begins with: [Find an android application that uses implicit intents] Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.

How do you prevent CAPEC-501?

To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).

What weaknesses does CAPEC-501 target?

CAPEC-501 exploits 1 CWE weakness, including CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints).

How severe is CAPEC-501?

MITRE rates CAPEC-501 as Medium severity.

References

MITRE CAPEC definition (CAPEC-501) (opens in a new tab)
Learn: What is CAPEC?

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-501

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
How the attack works
What the attacker needs
Consequences
How to mitigate it
Related weaknesses
Related attack patterns
FAQ
References