A broadcast receiver in Android is a component that allows the application to receive system-wide messages or messages from other applications. It is like a listener that waits for specific broadcast announcements or intent. When a relevant broadcast is detected, the receiver triggers a corresponding action, allowing apps to respond to events even when they are not running.

If not properly protected, however, broadcast receivers can be exploited by malicious apps or attackers to intercept sensitive information or manipulate app behavior.

A receiver becomes vulnerable when it’s made accessible for external use (exported), exposes internal functionality, and lacks proper permission controls.

We will now examine a vulnerable application provided by OWASP, named FourGoats. This analysis will help us comprehend the process of identifying a vulnerable receiver and exploiting it effectively.

Manifest analysis

Below is an example of an exported receiver with no permissions set:

The name of the receiver is SendSMSNowReceiver, with an action called SOCIAL_SMS.

SendSMSNowReceiver class

This receiver extracts two extras, named phoneNumber and message, from a Bundle. It uses the extras to send an SMS message.

The vulnerability lies in sending an SMS message through this vulnerable app, particularly by sending a bundle with specific extras to trigger the receiver. Let’s see a POC in Java to exploit this vulnerability.

The exploit app has three UI components:

• EditText for phone number
• EditText for message
• Button to trigger the exploit

Below you can find the onCreate method of the POC App and the code of the sendSms method used to exploit the vulnerability.

 protected void onCreate(Bundle…