The LaunchAnywhere vulnerability has long been a significant concern in Android security, allowing unprivileged applications to invoke protected activities, even with system-level privileges, and have been actively exploited in the wild in the past. In response, Google and device vendors have implemented patches, primarily by introducing destination component checks within privileged code before launching Intents. These fixes appeared to have mitigated such risks—at least on the surface. But has the threat truly been eliminated? In this session, we demonstrate that these defenses remain insufficient. We introduce a new exploitation technique, BadResolve, which bypasses these checks through multiple methods, enabling a zero-permission app to achieve LaunchAnywhere once again. We reveal high-severity vulnerabilities that affect all Android versions, including the latest Android 16 (at time of writing), which have been confirmed and patched by Google. Dead, made alive again— we show how the LaunchAnywhere vulnerability has been reborn. In addition to presenting new exploitation techniques, we tackle the challenge of efficiently and accurately identifying methods in the vast codebases of AOSP and vendor-specific closed-source implementations that could be exploited by BadResolve, using LLM Agents and MCP.

DEF CON 34 - DEF CON Policy Announcement - Katie Noble, Heather West
5.4K views

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon
11.1K views

DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth
8.5K views

DEF CON 33 - Can't Stop the ROP: Automating Universal ASLR Bypasses - Bramwell Brizendine
3.6K views

DEF CON 33 Recon Village - Building Local Knowledge Graphs for OSINT - Donald Pellegrino
5.4K views

DEF CON 33 Recon Village - Mapping the Shadow War From Estonia to Ukraine - Evgueni Erchov
6.4K views