TLDR: Computer scientists from Nanjing University and the University of Sydney have developed A2, an advanced AI agent system capable of autonomously discovering and validating zero-day vulnerabilities in Android applications. The system has identified 104 true-positive zero-day flaws in production apps, significantly outperforming traditional static analysis tools and offering a new paradigm for application security.
A groundbreaking artificial intelligence system, dubbed A2, is set to transform the landscape of Android application security by automating the discovery and validation of critical vulnerabilities. Developed by computer scientists Ziyue Wang from Nanjing University in China and Liyi Zhou from The University of Sydney in Australia, A2 builds upon their previous work, A1, which focused on exploiting cryptocurrency smart contracts.
Described in their preprint paper, ‘Agentic Discovery and Validation of Android App Vulnerabilities,’ A2 functions as an AI agent designed to emulate human bug hunters. It has demonstrated remarkable efficacy, achieving 78.3 percent coverage on the Ghera benchmark, a significant leap compared to static analyzers like APKHunt, which only managed 30.0 percent. In a real-world application, A2 was deployed on 169 production Android Package Kits (APKs), where it successfully identified ‘104 true-positive zero-day vulnerabilities.’ Notably, 57 of these flaws were self-validated through automatically generated proof-of-concept (PoC) exploits.
One particularly impactful discovery by A2 was a medium-severity intent redirect issue found in an Android application with over 10 million installs. Liyi Zhou explained the nature of this vulnerability in an email to The Register: ‘This is not a trivial bug, and it shows A2’s ability to uncover real, impactful flaws in the wild.’ He elaborated that an intent redirect occurs when an Android app sends a message (an intent) but fails to adequately verify its destination, allowing a malicious app to reroute it to a controlled component.
Zhou asserts that A2 is capable of handling any class of vulnerabilities, emphasizing its ability to provide ‘signal rather than noise’ by validating its findings. This addresses a common problem with existing Android vulnerability detection tools, which often ‘overwhelm teams with thousands of low-signal warnings yet uncover few true positives.’ According to Zhou, ‘A2’s breakthrough is that it mirrors how human security experts actually work.’
The agentic system of A2 integrates various commercial AI models, including OpenAI o3 (o3 2025-04-16), Gemini 2.5 Pro (gemini-2.5-pro), Gemini 2.5 Flash (gemini-2.5-flash), and GPT oss (gpt-oss-120b). These models operate in three distinct roles: a planner that designs the attack strategy, a task executor that carries out the attack, and a crucial task validator that generates test oracles and verifies the results. This validation component is highlighted as ‘the key novelty in A2’ compared to its predecessor, A1, which had limited, fixed validation.
Zhou provided a detailed example of A2’s validation process using a task from the Ghera dataset involving a password reset flow. A2 breaks down the process into three tasks: extracting a hardcoded AES key from `strings.xml`, forging a password reset token using a victim’s email and the extracted key, and finally, proving authentication bypass by launching a `NewPasswordActivity` with the forged token. Each step is independently validated, confirming the existence of the key, the validity of the forged token, and the successful bypass of authentication.
Liyi Zhou firmly believes that AI is rapidly surpassing traditional security tools. ‘In Android, our A2 system beats existing static analysis, and in smart contracts, A1 is close to state of the art,’ he stated. He added, ‘Tools are still useful, but they are slow and hard to build. AI is fast and accessible — we just call APIs, while the AI companies pour billions into training. We are standing on their shoulders.’
The economic implications for bug bounty hunters are also significant. The paper details the costs associated with A2’s operations, with detection-only costs ranging from $0.0004 to $0.029 per APK depending on the AI model used. The full validation pipeline, utilizing a mixed set of Large Language Models (LLMs), costs between $0.59 and $4.23 per vulnerability, with a median of $1.77. This is highly competitive, especially when compared to previous research showing GPT-4 generating exploits for about $8.80 each, suggesting a promising ‘AI arbitrage opportunity’ for accurate bug reports.
However, Zhou also cautioned about the limitations of bug bounty programs, noting that they cover only a fraction of potential flaws. ‘A cat-and-mouse game is inevitable,’ he warned. ‘A2 can uncover serious flaws today, but bug bounty programs only cover a fraction of them. That gap creates a strong incentive for attackers to exploit these bugs directly. How this plays out depends on how quickly defenders move.’ He anticipates an ‘explosion’ in the field, with a surge in both defensive research and offensive exploitation.
Also Read:
- AI-Powered Hexstrike Framework Enables Rapid Zero-Day Exploitation by Cybercriminals
- Radware Warns: AI Agents Fueling Unprecedented Cybersecurity Threats and ‘Cyber Lawfare’ in 2025
Adam Boynton, senior security strategy manager at Jamf, commented on the broader impact of such systems: ‘AI is moving vulnerability discovery from endless scan alerts to proof-based validation. Security teams get fewer false positives, faster fixes, and focus on real risks.’ In an effort to balance open research with responsible disclosure, the source code and artifacts for A2 have been made available only to those with institutional affiliation and a declared research purpose.
