DeepExploitor: LLM-Enhanced Automated Exploitation of DeepLink Attack in Hybrid Apps

Modern mobile apps widely embed WebView to enable rich and dynamic content, making it an increasingly attractive target for attackers. It is well known that insufficient or improper input validation on WebView-loaded URLs can compromise the entire app or even the underlying system. Among these threats, one of the most critical attack vectors is the DeepLink Attack, which often requires only a single user click to exploit WebView vulnerabilities. Despite the deployment of defense such as URL allowlists, misconfigurations and inconsistent implementations continue to expose apps to exploitation.In this paper, we present DeepExploitor, the first automated exploit generation framework targeting vulnerabilities exploitable via DeepLink Attack. DeepExploitor addresses two key challenges: First, it statically models complex, app-specific routing encapsulation and customized input parsing logic by extracing constraint-related code and resolving them through large language models (LLMs), enabling scalable discovery of valid exploits. Second, it identifies and mutates trusted domains embedded in the app to bypass black-box defenses such as domain-based allowlists. We evaluated DeepExploitor on 433 of the most popular Android apps and uncovered 83 zero-day vulnerabilities, including 24 rated as high or critical severity. All findings were responsibly disclosed to affected vendors, with 35 acknowledged to date or assigned CVE/CNVD identifiers.