Exploits the intent:// handler in WebviewCard to pivot from bet365 Sports App to the Authenticator app. The Authenticator's AppDelegate parses intent query data as domain|tnt|returnURL — setting the attacker's domain as the authentication target.
domain|tnt|returnURLPayload.Instance.domain = values[0] (attacker controlled).encryptPayload() sends GPS coordinates,
device UQID, and session tokens to the specified domain.
This opens the Authenticator with your domain set as the auth target. The encrypted payload (GPS, UQID, tokens) will be sent to your server when the auth flow completes.
These trigger the Authenticator's standard deep link paths. The Authenticator processes the URL and may start location services + auth flow.
Opens the Authenticator normally. It will start location monitoring as part of its standard initialization. The LocationService is exported=true with no permission.