In recent years, the hijacking vulnerabilities of Android components have been widely discussed, and hijacked Android components have been used to disclose personal information or private data to attackers. Such attacks redirect the Android component's original workflow to malicious code, or even execute malware. We propose an Activity Hijacking Attacks (AHA) scheme that examines the original activity workflow to keep track of every activity in the Android framework. This enables AHA to detect a malicious app that attempts to open an activity in the foreground or whose layout is similar to a login page, i.e., with a text field for account names and passwords. When such activities are detected, our scheme notifies users to be cautious of keying in their credentials for the new activity. Experimental results show that using AHA can prevent attacks designed to steal personal information. Furthermore, our proposed scheme can be easily patched into the existing Android system and has a negligible overhead.