Bypassing Intent Destination Checks, LaunchAnyWhere Privilege Escalation

Name: Bypassing Intent Destination Checks, LaunchAnyWhere Privilege Escalation
Description: LaunchAnyWhere is one of Android's most consequential historical vulnerability classes: an unprivileged application leveraging a privileged bridge to invoke protected or unexported activities on its b

Qidan He

DEF CON 33 · Day 2 · Main Stage

LaunchAnyWhere is one of Android's most consequential historical vulnerability classes: an unprivileged application leveraging a privileged bridge to invoke protected or unexported activities on its b

AI review

Qidan He's BadResolve technique resurrects LaunchAnyWhere privilege escalation on all Android versions including Android 16 by exploiting a race condition between intent resolution and launch, with an LLM-assisted pipeline to find additional gadgets.

Watch on YouTube