Full Report
WebViews are commonly used in Android applications to display webpages inside of the app itself. To improve usability, deeplinks or custom URIs on the app, are commonly used. When deeplinks are used, they can also be defined as browsable and exported in the app's manifest. This allows the activity to be interacted with from outside of the app. Thus, the content being used for these links must be strictly verified. Otherwise, it can lead to phishing threats. If a webview is rendered in the app silently, then a user might trust the login page.
Analysis Summary
# Tool/Technique: WebView Phishing via Vulnerable Deeplinks
## Overview
This technique involves exploiting improperly configured Android WebViews and exported deeplinks to perform phishing attacks. By leveraging "browsable" activities that do not strictly validate incoming URIs, an attacker can force a legitimate application to render a malicious attacker-controlled URL. Since the WebView is hosted within a trusted application's process, users are more likely to input sensitive credentials (such as OAuth tokens or login info), believing the prompt is authentic.
## Technical Details
- **Type:** Technique (Vulnerability Exploitation / Phishing)
- **Platform:** Android
- **Capabilities:** URL Redirection, Credential Theft, UI Spoofing, JavaScript Execution.
- **First Seen:** Case study published July 2024 (Specific to Meta Threads vulnerability).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1475 - Drive-By Compromise (Mobile)
- **TA0007 - Discovery**
- T1418 - Software Discovery
- **TA0006 - Credential Access**
- T1517 - Access Notifications/Inputs (via Phishing UI)
- **TA0002 - Execution**
- T1204.001 - User Execution: Malicious Link
## Functionality
### Core Capabilities
- **Deeplink Hijacking:** Exploits `android.intent.category.BROWSABLE` and `android.intent.action.VIEW` intents declared in the Android Manifest.
- **External Redirection:** Forcing the app to load an external `http://` or `https://` URL into an internal WebView component.
- **Silent Rendering:** The WebView often opens automatically upon clicking a crafted link from a browser, SMS, or another app without secondary user confirmation.
### Advanced Features
- **Bypassing URL Validation:** Exploiting weak regex or logic in the app's URI parsing (e.g., using `@` symbols or subdomains to bypass domain allowlists).
- **OAuth Stealing:** Using the trusted app's context to intercept OAuth codes or session cookies if the WebView shares a cookie jar with the system or app.
## Indicators of Compromise
- **File Names:** `AndroidManifest.xml` (containing exported activities with `<data android:scheme="content" />` or custom schemes).
- **Network Indicators:**
- `http[:]//attacker-controlled-domain[.]com/login`
- `threads[:]//www.threads[.]net/l/?url=http[:]//malicious[.]com` (Example of a vulnerable URI structure)
- **Behavioral Indicators:**
- `com.instagram.threads.app.activity.ThreadsLinkResolverActivity` (or similar Link Handlers) launching WebViews with external parameters.
- Unexpected foregrounding of a trusted app immediately followed by a login prompt.
## Associated Threat Actors
- **Generic Phishing Actors:** Historically used by various cybercriminal groups targeting Android users.
- **Researchers:** Discovery attributed to "Remote Awesome Thoughts" (Security Research).
## Detection Methods
- **Signature-based detection:** Scanning `AndroidManifest.xml` for `exported="true"` activities combined with `BROWSABLE` intent filters and no `android:autoVerify`.
- **Behavioral detection:** Monitoring for apps that launch WebViews where the `loadUrl` parameter originates from an unverified `Intent` extra or data URI.
- **Static Analysis:** Identifying usage of `setJavaScriptEnabled(true)` in WebViews that handle external deeplinks.
## Mitigation Strategies
- **Input Validation:** Implement strict allowlisting for domains passed into WebViews inside the `onCreate` or `onNewIntent` methods.
- **Intent Security:** Set `android:exported="false"` for activities that do not need to be triggered by other apps.
- **Domain Verification:** Use **App Links** (Digital Asset Links) instead of standard Deep Links to ensure only verified domains can trigger the app.
- **User Education:** Warn users when they are being redirected to an external domain from within a trusted application.
## Related Tools/Techniques
- **App Link Hijacking:** Man-in-the-Middle or interception of intents.
- **Tabnabbing:** A similar phishing technique targeting browser tabs.
- **Android Intent Redirection:** A broader class of vulnerabilities where an app performs an action based on a malicious intent.