How Intent Redirection Lets Malicious Android Apps Gain System Privileges

Background

At the beginning of this month, US security company kryptowire published a blog reporting a high‑risk vulnerability discovered in a smart‑terminal app. The flaw allows a malicious app installed on the device to gain system privileges and launch arbitrary activities, enabling actions such as dialing any number, factory reset, installing or uninstalling apps, and installing certificates.

Amper Lab quickly reproduced and analyzed the vulnerability, confirming it is an Intent redirection issue. They verified that their own applications are not affected and noted that similar Intent‑redirection bugs appear frequently in Google AOSP code and third‑party apps, posing severe risks. The lab provides a detailed analysis and mitigation methods.

Principle

Intent redirection occurs when an app extracts an Intent from an untrusted source, optionally repackages it, and then invokes methods such as startActivity, startActivityForResult, startService, or sendBroadcast to launch or pass the Intent.

Because Android’s Intent class implements Parcelable, an Intent object can be placed in the extra field of another Intent and transferred to another component.

Attackers can use a redirected Intent as a bridge to reach non‑exported components, achieving “launch‑anywhere” or “broadcast‑anywhere” capabilities.

Intent redirection violates Android’s sandbox security model, allowing the attacker to bypass component export restrictions. The article focuses on the first scenario (ordinary app vs. system app) while other models are described in Amper Lab’s public posts.

Detailed Analysis

The article examines two concrete Intent‑redirection examples: one in a regular app and one in the reported system app.

Regular App Intent Redirection

The app contains an exported HomeActivity with an Intent‑redirection flaw (see code screenshot). It also has a non‑exported WebViewActivity that loads a URL via a WebView.

By sending a crafted Intent to HomeActivity, an attacker can trigger WebViewActivity to load a malicious webpage and steal the app’s token.

System App Intent Redirection

The vulnerable system app declares android:sharedUserId="android.uid.system" and resides in the priv-app directory, granting it system privileges.

Its testUsaWpsManager class dynamically registers a broadcast receiver for the action USER_SELECT_WIFI_SERVICE_CALL. The exported receiver’s onReceive extracts an extra_call_intent without validation, constructs a new Intent, and passes it to setCallIntent, which adds FLAG_ACTIVITY_NEW_TASK and forwards it to makeCall. makeCall eventually calls startActivityAsUser with UserHandle.CURRENT, launching arbitrary activities with system rights.

This flow enables a zero‑permission malicious app to launch any activity, dial arbitrary numbers, perform factory reset, install/uninstall apps, and install certificates, effectively taking full control of the device.

Mitigation Methods

Mark components that should not receive external Intents as non‑exported ( android:exported="false").

Validate that incoming Intents originate from trusted sources, e.g., using getCallingActivity for startActivityForResult.

Ensure redirected Intents are safe: verify the target component with resolveActivity, check flags with getFlags, and avoid granting URI permissions unintentionally.

Conclusion

The attacker combined a dynamic broadcast registration vulnerability with an Intent‑redirection flaw in a system app, creating a powerful attack chain that endangers Android devices. Defending against such threats requires developers and security professionals to understand common vulnerability patterns and apply the mitigation steps described.