Android
Android 4.3.
Versions below are unconfirmed.
Any app which implements and exports an activity that extends a PreferenceActivity class can be subverted to load an arbitrary class by exploiting the dynamic fragment loading process:
public static Fragment instantiate(Context context, String fname, Bundle args) {
try {
Class clazz = sClassMap.get(fname);
if (clazz == null) {
// Class not found in the cache, see if it's real, and try to add it
clazz = context.getClassLoader().loadClass(fname);
sClassMap.put(fname, clazz);
}
Fragment f = (Fragment)clazz.newInstance();
if (args != null) {
args.setClassLoader(f.getClass().getClassLoader());
f.mArguments = args;
}
return f;
}
A malicious app can simply invoke the target activity using an Intent object with an ‘:android:show_fragment’ extra field containing the arbitrary class name, and provide it arguments using the ’:android:show_fragment_arguments’ extra or by other intent fields. In the context of PreferenceActivity, the class loader which is used is dalvik.system.PathClassLoader which enables it to load classes belonging the the vulnerable app, Android or Java frameworks. The loaded class will run in the context of the vulnerable app, will have the same privileges of it and have access to its private data.