What Android Token Theft Is and Why It Matters
Android token theft is an attack where malicious or vulnerable apps silently grab authentication tokens from other apps, letting attackers access accounts without passwords, prompts, or obvious warning signs. Instead of cracking logins, attackers aim at the tokens that mobile apps store and share for single sign-on, then reuse them to read email, open files, or act as you over long periods. This kind of app security vulnerability is dangerous because stolen tokens can provide the same or greater access than a password, often with fewer alerts in logs and no visible login events for users. When an account token is stolen, an attacker can piggyback on normal app behavior, making their activity blend into routine traffic and allowing persistent access that is hard to spot or revoke.
OpenAI Codex Android Apps and npm Package Stealing Tokens
In a recent supply chain attack, OpenAI Codex authentication tokens were exfiltrated through a functional npm package named codexui-android and linked Android apps. The npm package, with over 29,000 weekly downloads, included code that read Codex’s auth.json file and sent access_token, refresh_token, id_token, and account ID to a fake Sentry endpoint. According to Aikido Security researcher Charlie Eriksen, “The refresh_token doesn't expire… An attacker holding it can silently impersonate you indefinitely.” Two Android apps from the BrutalStrike developer, including OpenClaw Codex Claude AI Agent, ran this package inside a PRoot sandbox and forwarded the full OAuth data once users signed in. Because the exfiltration has been present since codexui-android v0.1.82, any developer or user who authenticated through these apps or the npm package should assume their Codex account token is stolen and revoke it immediately.
Microsoft 365 Android Token Flaw and the FlagLeft Bug
A separate Android token theft issue hit Microsoft 365 apps such as Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. Researchers at Enclave found a development flag, setIsDebugMode(true), left enabled in production builds of a shared Microsoft SDK. That debug flag disabled the security check that should restrict token sharing to trusted Microsoft apps. Any untrusted app on the same device could request a user’s FOCI tokens, then read email, open files, browse the calendar, or send messages as that user—no password, login screen, or permission prompt. Microsoft released a Microsoft 365 security patch on May 12, assigning four CVEs and classifying the issue as local spoofing under improper access control. Although Teams was not affected and no confirmed in-the-wild abuse has been reported, the flaw shows how one line of code can expose billions of app installs to Android token theft.
How Attackers Exploit Token Theft on Your Device
Attackers exploiting these app security vulnerabilities follow a similar pattern: get onto the device, grab tokens, then move quietly. In the Codex case, the malicious Android apps and npm package waited until a user signed in, extracted auth.json inside a sandboxed environment, and sent the full OAuth blob to a remote server that looked like a monitoring service. For Microsoft 365, a malicious app already installed on the same Android device could exploit the FlagLeft flaw to request FOCI tokens directly from Word, Excel, or other affected apps, then connect to Microsoft services in the background. No new dangerous permission was needed; the bug abused trusted single sign-on flows. Because these are refreshable tokens designed for cross-app use, attackers can keep renewing access, so even if you change your password, sessions may remain active until tokens are revoked or expire.
Steps You Should Take Now to Protect Your Accounts
To reduce your risk from Android token theft, start with updates. Open the Play Store, go to Manage apps, and update all Microsoft 365 Android apps—Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot—so the Microsoft 365 security patch is installed. Remove any Codex-related Android apps from BrutalStrike and stop using the codexui-android npm package, especially versions at or after v0.1.82. Next, review app permissions and uninstall apps you do not recognise or no longer use; fewer apps mean fewer chances for a malicious update to ask for tokens. Finally, monitor your accounts for signs of misuse: unexpected logins, unfamiliar documents, surprise emails sent from your address, or odd calendar entries. If anything looks suspicious, revoke active sessions, rotate API keys, and reset passwords, then re-check that all apps are fully updated.
