Android <5.0 Privilege Escalation using ObjectInputStream (CVE-2014-7911)

  Severity: HIGH
  Advisory Date: OCT 08, 2015


This is one of the vulnerabilities used by the exploit kit, GiefRoot, which Retro Tetris, a malicious Android app downloads onto the device. The said malicious gaming app is published on Google Play that has the capability of rooting devices.

An attacker may cause an instance of any class with a non-private parameterless constructor to be created when the ObjectInputStream is used on untrusted inputs. In addition, an attacker may execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service.