Attacking Android Antivirus Applications

We discussed this vulnerability during Episode 201 on 03 April 2023

A fairly classic mobile issue, the McAfee Security: Antivirus VPN is a highly privileged app and it exports a fairly generic MainActivity. The MainActivity is rather dynamic in terms of what type content it’ll load, basically acting as a wrapper to load whatever the real intent was. Setting the first extra to TRIGGER:MESSAGING, it will then look for the SCREEN extra and then craft an activity with any class and extras set in that field and launch it.

As this is a privileged application, an attacker could abuse that to craft a SCREEN value that will try to launch privileged intents from within the McAfee application such as triggering a phone call. The nested intent will be called from the privileged context of the McAfee Security application.