android deserialization vulnerabilities
this blog is about history
first one
research done by Jann Horn back in 2014. Horn showed that Android allowed deserialization of any class, even non-Java serializable ones, in the context of the attacked app or service leading to remote code execution.
IBM xfore application security research team
that IBM’s X-Force Application Security Research Team found in the Android platform. In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.
网友评论