Focused on userland Android vulnerabilities involving non-system* apps with emphasis on recurring exploitation patterns, privilege escalation paths & trust boundary failures.
| Vulnerability Type | Main Theme | Common Result | References |
|---|---|---|---|
| Dirty Stream Attack (Arbitrary File Overwrite → Remote Code Execution) | DISPLAY_NAME / _display_name abuse, unsafe ContentResolver.query() trust, attacker-controlled filename → path traversal overwrite |
Internal file overwrite, config poisoning, privilege escalation, account takeover | Includes notable cases such as CVE-2025-14111 (RAR App path traversal) Secsys-FDU/AF_CVEs/issues Microsoft Dirty Stream Attack with foundational Dirty Stream research credited to ch0pin |
| Cross-App ClassLoader / Parcelable Injection | Foreign ClassLoader access, exported Parcelable/Serializable trust failures, attacker-controlled object reconstruction via createPackageContext, getParcelableExtra, and deserialization trust abuse |
Account hijacking, intent redirection, privilege escalation, remote code execution | Nullcon Berlin 2025 – My Other ClassLoader Is Your ClassLoader Reloaded Black Hat EU 2024 – My Other ClassLoader Is Your ClassLoader Research credit to ch0pin |
| Arbitrary File Overwrite (AFO) | SharedPreferences pollution, vulnerable ContentProvider, cross-layer exploitation, config poisoning, unsafe internal file handling |
App compromise, privilege escalation, account takeover, code execution chains | LianKee/SO-CVEs ACM Paper: Android File Overwrite Research |
| Task Hijacking | Task stack abuse, exported activity misuse, UI trust abuse | Credential theft, auth interception, phishing → account takeover | KMov-g/androidapps |
| Client-Embedded Trusted Credentials (React Native / Mobile SDK Trust Failure) | Embedded trusted backend secrets (SEGMENT_WRITE_KEY, SegmentWriteKey) exposed via React Native config injection, JS bundle extraction, .env leakage, and mobile SDK initialization assumptions → attacker-controlled requests treated as legitimate |
Sensitive data decryption, forged authenticated requests, unauthorized uploads/file operations, analytics abuse, backend trust abuse, and potential privilege escalation depending on how the embedded credential is used CVE-2026-4242 | CVE-2026-5453, CVE-2026-5454, CVE-2026-5455, CVE-2026-5458, CVE-2026-5462 Recurring VulDB disclosures by fxizenta / KMov (same researcher) |
| Egress Phone Call EOP | Privileged telecom abuse, exported system component abuse, dialer intent misuse | Unauthorized calls, privilege escalation, restricted API access | actuator/cve#privilege-escalation |
A large part of my methodology for identifying Android trust boundary failures & privilege escalation paths was heavily influenced by Ryan Johnson’s prior research on preinstalled and privileged Android app exploitation.