The intent filters specify list of known hosts. But in UrlEvaluatorActivity activity, the URL is not checked if it is really out the lists specified in the manifest file. This can be used maliciously as follows:
A malicious app can send an explicit intent to the app. Because this app does not check if it is one of those possible short URLs, it tries to connect to the passed URL. The URL is hosted on a domain that is controlled by the attacker. Therefore the malicious server sets Content-Location part of the header with a URL containing encoded part of a malware binary (e.g., myprotocl://abc.com/content=123FE435...). The app extracts this location and tries to create a new intent with VIEW action. If the malicious app has an intent filter with any host (host=""), scheme="myscheme" and pathPattern="/content=.", then it will receive the malware content. If the size does not permit, it can perform several similar queries to collect the parts of the malware.
Can you confirm this possible vulnerability, please?
Hi,
The intent filters specify list of known hosts. But in UrlEvaluatorActivity activity, the URL is not checked if it is really out the lists specified in the manifest file. This can be used maliciously as follows:
A malicious app can send an explicit intent to the app. Because this app does not check if it is one of those possible short URLs, it tries to connect to the passed URL. The URL is hosted on a domain that is controlled by the attacker. Therefore the malicious server sets Content-Location part of the header with a URL containing encoded part of a malware binary (e.g., myprotocl://abc.com/content=123FE435...). The app extracts this location and tries to create a new intent with VIEW action. If the malicious app has an intent filter with any host (host=""), scheme="myscheme" and pathPattern="/content=.", then it will receive the malware content. If the size does not permit, it can perform several similar queries to collect the parts of the malware.
Can you confirm this possible vulnerability, please?