Google Android PreferenceActivity Class :android:show_fragment Intent Extra Arbitrary Class Loading Local Privilege Escalation
Local Access Required,
Mobile Phone / Hand-held Device
Loss of Integrity
Google Android contains a flaw in the PreferenceActivity class that leads to unauthorized privileges being gained. The issue is due to the :android:show_fragment intent extra allowing for arbitrary classes to be loaded. This may allow a local attacker to use a specially crafted application to load arbitrary classes and gain elevated privileges.
Google has provided a patch in Android 4.4 KitKat by adding a new protected API, PreferenceActivity.isValidFragment, which is called before the Fragment is dynamically instantiated by PreferenceActivity