diff --git a/src/mobile-pentesting/android-app-pentesting/intent-injection.md b/src/mobile-pentesting/android-app-pentesting/intent-injection.md
index 99a9c58a136..a43f78ab26c 100644
--- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md
+++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md
@@ -285,6 +285,65 @@ Flags helpful for singleTask-style behavior
 adb shell am start -n com.target/.ExportedActivity --activity-clear-task --activity-new-task
 ```
 
+### Exported SDK proxy activity + `Intent.parseUri(..., URI_ALLOW_UNSAFE)` + provider grant abuse
+
+A high-impact variant appears when a **third-party SDK adds an exported proxy Activity** in the **merged manifest** and that Activity turns attacker-controlled input into a new `Intent` that the victim app launches.
+
+Common flow:
+- Malicious app explicitly starts an **exported** Activity added by an SDK.
+- The Activity reads an attacker-controlled extra/data field, sometimes wrapping it in JSON first.
+- A field like `intent_uri` / `redirect_intent` / `n_intent_uri` is passed into `Intent.parseUri(...)`.
+- The parsed result is later executed with `startActivity(...)`, `startService(...)`, or `sendBroadcast(...)` **under the victim app UID/permissions**.
+
+High-risk indicators during review:
+- SDK-added components visible only in the **merged** `AndroidManifest.xml`.
+- `Intent.parseUri(untrusted, Intent.URI_ALLOW_UNSAFE)` on user-controlled strings.
+- Code that appears to sanitize the parsed `Intent` (`setComponent(null)`, action checks, etc.) but **returns or launches a different explicit Intent**.
+- Provider-related flags surviving the parse/forward chain:
+  - `FLAG_GRANT_READ_URI_PERMISSION`
+  - `FLAG_GRANT_WRITE_URI_PERMISSION`
+  - `FLAG_GRANT_PERSISTABLE_URI_PERMISSION`
+
+Why this matters
+- This is not only a generic redirect to another exported component. If the forwarded `Intent` points to a `content://` URI, the victim app can become the **confused deputy** that grants provider access on behalf of the attacker.
+- With `URI_ALLOW_UNSAFE`, attacker-controlled `intent:` strings can preserve grant flags during parsing. If the target flow later accepts/takes the grant, the attacker may obtain **persistent** read/write access until the victim revokes it.
+- In practice this can expose data reachable through providers that rely on the victim app identity or transient URI grants, including app-private files surfaced through `FileProvider`-style paths.
+
+What to look for in code / Smali
+- Exported Activity/Receiver/Service calling:
+  - `Intent.parseUri(...)`
+  - `startActivity(...)` / `startService(...)` / `sendBroadcast(...)`
+  - `setFlags(...)`, `addFlags(...)`, `getFlags()`
+  - `setComponent(null)` or `setPackage(null)` on one object while another `Intent` is actually returned/launched
+- Parse-and-forward chains such as:
+  - incoming extra → JSON object → `intentUri` field → `Intent.parseUri(...)` → launch
+  - deep link / push payload / notification payload → helper method → explicit internal launch
+- Manifest-merging surprises from dependencies:
+```bash
+# Inspect final exported components, not only the source manifest
+apkanalyzer manifest print app.apk | grep -n -A4 -B2 'exported'
+```
+
+ADB testing ideas
+```bash
+# 1. Reach the exported proxy component directly
+adb shell am start -n com.victim/.SdkProxyActivity \
+  --es payload '{"n_intent_uri":"intent:#Intent;action=android.intent.action.VIEW;S.browser_fallback_url=https://attacker.tld;end"}'
+
+# 2. Test whether the app reparses an intent URI and launches an explicit internal target
+adb shell am start -n com.victim/.SdkProxyActivity \
+  --es payload '{"n_intent_uri":"intent:#Intent;component=com.victim/.SensitiveActivity;end"}'
+
+# 3. Probe provider-grant behaviour with content:// targets and grant flags
+adb shell am start -n com.victim/.SdkProxyActivity \
+  --es payload '{"n_intent_uri":"intent:#Intent;action=android.intent.action.VIEW;data=content://com.victim.fileprovider/root/secret.xml;launchFlags=0x43;end"}'
+```
+
+Notes
+- `0x43` is a compact test value for `FLAG_GRANT_READ_URI_PERMISSION` (`0x1`), `FLAG_GRANT_WRITE_URI_PERMISSION` (`0x2`), and `FLAG_GRANT_PERSISTABLE_URI_PERMISSION` (`0x40`).
+- Exact extra names differ by app/SDK. During reversing, grep for `getStringExtra`, JSON field names, and helper methods that rebuild `Intent` objects from strings.
+- If the vulnerable component comes from a dependency, always inspect the **merged manifest** generated after Gradle manifest merge, not only the developer-authored source manifest.
+
 Real-world examples (impact varies):
 - CVE-2024-26131 (Element Android): exported flows leading to WebView manipulation, PIN bypass, login hijack.
 - CVE-2023-44121 (LG ThinQ Service): exported receiver action `com.lge.lms.things.notification.ACTION` → system-level effects.
@@ -392,6 +451,9 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm
 - [CVE-2020-14116 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14116)
 - [Android Intents (1/2): how they work, security, and attack examples – Mobeta](https://mobeta.fr/android-intent-hijacking-pentest-mobile/)
 - [Android Intent reference](https://developer.android.com/reference/android/content/Intent)
+- [Android docs – `URI_ALLOW_UNSAFE`](https://developer.android.com/reference/android/content/Intent#URI_ALLOW_UNSAFE)
+- [Android docs – `FLAG_GRANT_PERSISTABLE_URI_PERMISSION`](https://developer.android.com/reference/android/content/Intent#FLAG_GRANT_PERSISTABLE_URI_PERMISSION)
+- [Microsoft: Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk](https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/)
 - [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/)
 - [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html)
 - [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01)
@@ -401,4 +463,4 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm
 - [Android docs – Intents and Intent Filters](https://developer.android.com/guide/components/intents-filters)
 
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}