← LibraryTechnique entry
MOB-DEEPLINK-ABUSEInitial Access
Android Deeplink / Intent Abuse
Exported activity / intent-filter with weak validation — craft an intent URL that triggers privileged actions in the app.
§ Where this technique fits
MOB-DEEPLINK-ABUSE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3 on average.
§ Dossiers chaining this technique
- step 2 / 6
Deeplink abuse → in-app account takeover
Exported activity registers a custom URL scheme that triggers an OAuth-style 'confirm reset' action without validating the source — phishing URL clicks reset another user's password.
- step 4 / 5
WebView XSS → JS bridge → native code exec
WebView loads partially-attacker-controlled content (e.g. injected referral param) and exposes addJavascriptInterface — XSS in the page calls the bridge to run app-level code.
§ What commonly comes next
- 01Command and Scripting Interpreterseen 1×T1059 · Execution
- 02Intent Injection / Pending Intent Abuseseen 1×MOB-INTENT-INJECT · Privilege Escalation