CVE-2026-0087: Android App Link Hijacking via Domain Verification Logic Error
A logic error in Android's domain verification service allows a local attacker to hijack app links associated with arbitrary applications. By exploiting this flaw, an attacker can redirect app links to malicious apps, potentially intercepting sensitive user actions or data. The vulnerability requires local access but no special permissions or user interaction, making it a meaningful escalation path on compromised or personally-owned devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-693
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0087 is a privilege escalation vulnerability in the DomainVerificationService.java component of Google Android. The flaw resides in the approvalLevelForDomainInternal method, where a logic error in domain verification logic permits an unprivileged local process to manipulate app link associations. The vulnerability is rooted in improper validation of domain ownership claims, allowing an attacker to claim verification of domains already associated with legitimate apps. This leads to local privilege escalation without requiring additional execution privileges or user interaction.
Business impact
Organizations deploying Android devices—particularly in BYOD programs, enterprise mobility initiatives, or customer-facing applications—face increased risk of phishing and credential harvesting attacks. App link hijacking can redirect users away from legitimate banking, payment, or authentication apps to attacker-controlled counterparts, compromising user trust and enabling fraud. For app developers, this vulnerability can lead to reputational damage if their app links are hijacked to deliver malicious content. Remediation delays extend the attack window during which threat actors can establish persistence or conduct targeted fraud.
Affected systems
This vulnerability affects Google Android across multiple versions. The ground-truth source indicates six instances of 'google android' in the affected products list, suggesting a broad version range. Specific version boundaries and patch versions are not provided in the source data; verification against Google's official Android Security & Privacy bulletin is required to determine the exact Android versions, patch levels, and device models impacted. Organizations should cross-reference the official advisory to assess their device inventory.
Exploitability
Exploitation requires local code execution on the target device—achievable through malware installation, sideloading, or supply-chain compromise. Once an attacker has established a local foothold with basic user privileges, no additional exploitation steps are needed. The absence of user interaction requirements and the straightforward nature of the logic error make this a practical attack vector in real-world scenarios. However, the local-only attack surface limits exposure to devices already under partial attacker control or in high-trust environments (shared devices, test labs).
Remediation
Apply the security patch provided by Google as part of the Android monthly or emergency security update cycle. Verify the specific patch version and Android version by consulting Google's official Android Security & Privacy bulletin corresponding to the June 2026 publication date. Enterprise administrators should enforce mandatory device updates through mobile device management (MDM) policies and prioritize patching on devices handling sensitive applications (banking, payment, authentication). For users, enable automatic system updates and restrict sideloading from unknown sources.
Patch guidance
Patches will be available through Google's Android security update channel. Users should navigate to Settings > System > System Update on their device and install updates as they become available. Enterprise administrators deploying Android through MDM solutions should enable automatic security patch deployment and configure device policies to restrict installation of unsigned applications. Verify patch applicability by cross-referencing your device model and current Android version against the official Android Security & Privacy bulletin; not all devices receive updates simultaneously. Plan and test updates in non-production environments before broad rollout.
Detection guidance
Monitor for suspicious app link associations on user devices through MDM telemetry and app inventory scans. Endpoint detection and response (EDR) solutions should flag processes attempting to invoke the DomainVerificationService with unusual parameter patterns or from unexpected callers. Security teams can search logs for unexpected app link claim attempts targeting high-value apps (banking, payment, SSO). On rooted or compromised devices, inspect the domain verification cache and app link configuration for unauthorized modifications. Behavioral indicators include sudden redirection of authenticated app links or unexpected authorization requests from lesser-known apps mimicking legitimate services.
Why prioritize this
While the local-only attack vector limits broad exposure, the combination of no user interaction, no additional privileges required, and high potential impact (credential theft, fraud via app link hijacking) warrants elevated priority. Organizations with enterprise app ecosystems, payment processing, or multi-factor authentication through app links should prioritize patching. BYOD environments and devices with sensitive banking or health apps should be treated as high priority. General consumer devices with light app usage can follow standard update timelines but should not be deferred indefinitely.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a high-impact local privilege escalation with confidentiality, integrity, and availability consequences (C:H, I:H, A:H). The attack vector is local (AV:L), attack complexity is low (AC:L), and privileges required are low (PR:L), reflecting practical exploitability. The lack of user interaction (UI:N) elevates severity. The scope is unchanged (S:U), indicating impact is confined to the affected system. The score appropriately captures the real-world risk posed by app link hijacking on a device where an attacker has already gained initial access.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. This vulnerability requires local code execution on the target device. An attacker must first establish a foothold through malware, sideloading, supply-chain compromise, or physical access. Remote attackers cannot exploit this flaw directly.
Which Android apps are most at risk from app link hijacking?
Banking, payment, cryptocurrency, single sign-on (SSO), and authentication apps are highest-risk targets. Attackers prioritize these because hijacking their app links directly leads to credential theft or unauthorized transactions. Email and messaging apps are also valuable targets for social engineering pivots.
Do I need to uninstall or reinstall apps after patching?
No. Patching the underlying Android system vulnerability is sufficient. Once you update your device, the domain verification logic will be corrected and existing app link associations will be re-validated. No app reinstallation is required.
How does this differ from a typical phishing attack?
This vulnerability allows an attacker to silently redirect legitimate app links without user awareness. A user might tap what they believe is a legitimate bank app link, only to be routed to an attacker's counterfeit app. Traditional phishing requires a user to actively choose a malicious link; this attack bypasses that choice at the OS level.
This analysis is based on the official CVE record and CVSS assessment published as of June 2026. Specific affected Android versions, patch versions, and availability dates must be verified against Google's official Android Security & Privacy bulletin. Organizations should conduct internal risk assessments based on their device inventory and use cases. This explainer does not constitute security advice; consult your vendor advisories and security team for deployment decisions. No exploit code or weaponized proof-of-concept is provided herein. SEC.co does not guarantee the completeness or timeliness of this assessment and recommends continuous monitoring of official sources for updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-48649HIGHAndroid Local Privilege Escalation via Permission Bypass
- CVE-2025-48652HIGHAndroid MDM Bypass Logic Flaw – HIGH Severity Privilege Escalation
- CVE-2026-0045HIGHAndroid Bluetooth Bonding Bypass Privilege Escalation
- CVE-2026-0077HIGHAndroid ActivityRecord Privilege Escalation Vulnerability
- CVE-2026-0097HIGHAndroid Bluetooth Pairing Logic Error Allows Silent Privilege Escalation
- CVE-2026-10944MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Now
- CVE-2026-10950MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Guide
- CVE-2025-52609LOWHCL iControl Missing Security Headers XSS Vulnerability