CVE-2024-32653

The vulnerability resides in jadx-gui's ADB integration, where the fullAppName (derived from the decompiled app's package name) is concatenated directly into a shell command without sanitization [1]. Specifically, the command am start -D -n + fullAppName is executed via ADB.execShellCommandRaw [1][3]. An attacker can craft an Android app with a malicious package name containing shell metacharacters (e.g., |, ;) to inject arbitrary commands. When a user opens the malicious APK in jadx and clicks the "Launch App" button in the debug menu, the crafted package name causes shell command execution with the privileges of the adb shell [3]. The proof-of-concept package com.example | svc power shutdown | echo demonstrates immediate device shutdown upon launch [3]. This allows an attacker to execute arbitrary commands with shell privileges on the connected Android device, potentially leading to data theft, device manipulation, or denial of service [3]. The issue is fixed in version 1.5.0, which properly filters the package name before concatenation [2]. Users should upgrade to jadx 1.5.0 or later to mitigate the risk.