Mobile MCP patches arbitrary Android intent execution via URL schemes

TL;DR — @mobilenext/mobile-mcp’s mobile_open_url tool can be abused to execute arbitrary Android intents (e.g., tel:, sms:, content://) because it forwards attacker-controlled URLs to Android without scheme validation.

What happened

@mobilenext/mobile-mcp is an MCP (Model Context Protocol) server intended to let AI agents automate actions on connected Android devices.

A GitHub-reviewed advisory (CVE-2026-35394) reports that the mobile_open_url tool passes user-supplied URLs directly into Android’s intent system via an adb shell am start -a android.intent.action.VIEW -d <url> call, without validating the URL scheme. This allows execution of arbitrary Android intents, including schemes like tel:, sms:, mailto:, content://, and market://.

The advisory explicitly highlights why this is operationally dangerous in the MCP/agent context: prompt injection from a malicious document or website can coerce an AI agent into triggering dangerous intents on a real connected device (calls/SMS/USSD/content provider access), turning “AI browsing” into a device-side action channel. CVSS is provided as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H and the database severity is marked High.

Who is impacted

• Projects using the npm package @mobilenext/mobile-mcp with versions that include the vulnerable mobile_open_url behavior (the advisory marks the affected range as introduced: 0 and fixed: 0.0.50).
• Teams running mobile-mcp in an agentic workflow where the agent can be influenced by untrusted content (e.g., web pages, documents, tickets) and has access to a connected Android device over ADB.
• Highest-risk setups include devices with sensitive data accessible via intents/content providers (contacts, SMS, call logs) and environments where an agent can execute tool calls with limited human review.

What to do now

• Follow vendor remediation guidance and apply the patched release.

  • "Upgrade to version 0.0.50 or later, which restricts mobile_open_url to http:// and https:// schemes by default."

  • "Users who require other URL schemes can opt in by setting MOBILEMCP_ALLOW_UNSAFE_URLS=1."

• Treat this as an agent tool-abuse class issue (prompt injection → tool invocation): review how your agent decides to call tools/call, and add explicit human confirmation for any action that can trigger device-side side effects (calls, SMS, app store, deep links).
• Audit logs/telemetry for suspicious mobile_open_url invocations (e.g., tel:*#..., sms:, content://) and confirm no unexpected device actions occurred during agent runs.
• Reduce blast radius: isolate the Android device used for automation (separate profile/device), and ensure the ADB-connected device does not contain production credentials or high-value personal data.

Additional Information

• Advisory and technical details: https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm
• Fix PR (as referenced by the advisory): https://github.com/mobile-next/mobile-mcp/pull/299
• Release referenced by the advisory: https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.50