android deserialization vulnerabilities

this blog is about history

first one

research done by Jann Horn back in 2014. Horn showed that Android allowed deserialization of any class, even non-Java serializable ones, in the context of the attacked app or service leading to remote code execution.

IBM xfore application security research team

that IBM’s X-Force Application Security Research Team found in the Android platform. In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.