Android Parcels: The Bad, the Good and the Better - Introducing Android's Safer Parcel

Parcel is the serialization mechanism in Android and is behind almost every OS cross-process interaction. Parcelable implementations have been the source of vulnerabilities in Android for ~8 years, often rated high severity and weaponized by malware authors to achieve privileged exploits, including silent package installation and arbitrary code execution.This talk covers a detailed overview of known exploit techniques that abuse Parcel vulnerabilities, including the well-known yet still active Bundle FengShui exploits; and a novel exploit chain that was reported through …

abuse android authors bad bundle code code execution cve exploit exploits google high installation june malware novel package privileged process program serialization severity silent techniques the good vrp vulnerabilities well-known