Deterministic encryption + exported activity. Forged push notification steals session tokens without any user interaction.
Mar 4, 2026A self-custody mobile wallet's browse deep link accepted any URL and loaded it inside the in-app dApp browser, where the signing bridge was injected into all origins, enabling a two-tap drain of any user via a phishing link.
Mar 4, 2026SDK key from APK created unlimited verified deep links. Chained with unfiltered WebView for in-app credential theft.
Mar 4, 2026A centralized exchange's Android deep link handler loaded any attacker URL inside the real app shell with the native JavaScript bridge attached, enabling one-tap credential phishing with no malicious app install needed.
Mar 4, 2026Three chained flaws in a crypto exchange's Android app gave full account access from a single tap.
Mar 2, 2026No-auth endpoint generated support tokens for any user. Read conversations, download KYC docs, send messages as victim.
Mar 2, 2026A wallet's deep link handler accepted any URL and loaded it inside the privileged in-app browser, where the signing bridge gave attacker pages full access to wallet address, message signing, and typed data signing.
Feb 27, 2026Flawed domain check allowed attacker URL in WebView. Session token stolen in under 2 seconds, valid for 7 months.
Feb 26, 2026RSA-2048 key extracted from a .so file in 5 seconds. Forged push notifications to any wallet user.
Feb 26, 2026A wallet provider's GraphQL endpoint allowed any anonymous caller to read user emails, 250K IP-to-wallet mappings, 80K push tokens, and private support messages, deanonymizing blockchain users at scale.
Feb 26, 2026