actuator

Android-Research-Notes

Android security scratchpad for userland app abuse paths, vuln patterns, case studies & random research notes.

2
0
2
public
View on GitHubWebsite

Android Malicious App Threat Model Bulk CVE Case Studies

Focused on userland Android vulnerabilities involving non-system* apps with emphasis on recurring exploitation patterns, privilege escalation paths & trust boundary failures.

Vulnerability Type Main Theme Common Result References
Dirty Stream Attack (Arbitrary File Overwrite → Remote Code Execution) DISPLAY_NAME / _display_name abuse, unsafe ContentResolver.query() trust, attacker-controlled filename → path traversal overwrite Internal file overwrite, config poisoning, privilege escalation, account takeover Includes notable cases such as CVE-2025-14111 (RAR App path traversal)
Secsys-FDU/AF_CVEs/issues
Microsoft Dirty Stream Attack with foundational Dirty Stream research credited to ch0pin
Cross-App ClassLoader / Parcelable Injection Foreign ClassLoader access, exported Parcelable/Serializable trust failures, attacker-controlled object reconstruction via createPackageContext, getParcelableExtra, and deserialization trust abuse Account hijacking, intent redirection, privilege escalation, remote code execution Nullcon Berlin 2025 – My Other ClassLoader Is Your ClassLoader Reloaded
Black Hat EU 2024 – My Other ClassLoader Is Your ClassLoader
Research credit to ch0pin
Arbitrary File Overwrite (AFO) SharedPreferences pollution, vulnerable ContentProvider, cross-layer exploitation, config poisoning, unsafe internal file handling App compromise, privilege escalation, account takeover, code execution chains LianKee/SO-CVEs
ACM Paper: Android File Overwrite Research
Task Hijacking Task stack abuse, exported activity misuse, UI trust abuse Credential theft, auth interception, phishing → account takeover KMov-g/androidapps
Client-Embedded Trusted Credentials (React Native / Mobile SDK Trust Failure) Embedded trusted backend secrets (SEGMENT_WRITE_KEY, SegmentWriteKey) exposed via React Native config injection, JS bundle extraction, .env leakage, and mobile SDK initialization assumptions → attacker-controlled requests treated as legitimate Sensitive data decryption, forged authenticated requests, unauthorized uploads/file operations, analytics abuse, backend trust abuse, and potential privilege escalation depending on how the embedded credential is used CVE-2026-4242 CVE-2026-5453, CVE-2026-5454, CVE-2026-5455, CVE-2026-5458, CVE-2026-5462
Recurring VulDB disclosures by fxizenta / KMov (same researcher)
Egress Phone Call EOP Privileged telecom abuse, exported system component abuse, dialer intent misuse Unauthorized calls, privilege escalation, restricted API access actuator/cve#privilege-escalation

A large part of my methodology for identifying Android trust boundary failures & privilege escalation paths was heavily influenced by Ryan Johnson’s prior research on preinstalled and privileged Android app exploitation.

v0.3.1[beta]