Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 1:30 p.m.
(45 minutes).
The LaunchAnywhere vulnerability has long been a significant concern in Android security, allowing unprivileged applications to invoke protected activities, even with system-level privileges, and have been actively exploited in the wild in the past.
In response, Google and device vendors have implemented patches, primarily by introducing destination component checks within privileged code before launching Intents. These fixes appeared to have mitigated such risks—at least on the surface. But has the threat truly been eliminated?
In this session, we demonstrate that these defenses remain insufficient. We introduce a new exploitation technique, BadResolve, which bypasses these checks through multiple methods, enabling a zero-permission app to achieve LaunchAnywhere once again. We reveal high-severity vulnerabilities that affect all Android versions, including the latest Android 16 (at time of writing), which have been confirmed and patched by Google. Dead, made alive again— we show how the LaunchAnywhere vulnerability has been reborn. In addition to presenting new exploitation techniques, we tackle the challenge of efficiently and accurately identifying methods in the vast codebases of AOSP and vendor-specific closed-source implementations that could be exploited by BadResolve, using LLM Agents and MCP.
References:
- [link](https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Ke-Android-Parcels-Introducing-Android-Safer-Parcel.pdf)
- [link](https://blog.canyie.top/2024/11/07/self-changing-data-type/)
Presenters:
-
Qidan "flanker_hqd" He
Qidan He (a.k.a Edward Flanker, CISSP) is the winner of multiple Pwn2Own championships and Pwnie Award. He is now the Director & Chief Security Researcher at Dawn Security Lab, JD.com. He has spoken at conferences like Black Hat, DEFCON, RECON, CanSecWest, MOSEC, HITB, PoC, etc. He is also the committee and judge of GeekPwn&GeekCon.
Similar Presentations: