Android : Arbitrary code execution

Developers are able to add extra functionality into Android apps by using external modules (native libraries, third-party app files, etc.). Such modules are executed in the context of the main app, which leads to Arbitrary code execution. Software and Data Integrity Failures take eighth place in the OWASP Top 10 2021 list of ten most significant vulnerabilities in web applications.

After installing the module the main app searches for it among all the apps installed on the same device by using values from manifest file AndroidManifest.xml. If the verification is not strong enough, an attacker’s app may be treated as a legitimate module and its code can be executed in the context of the main app – leading to arbitrary code execution. As a result, the attacker may steal any sensitive data from the app, as well as to substitute this data, disclose financial details, and track the user.