My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


ObjectInputStream Serialization


The vulnerability, which was discovered in November 2014 and named ObjectInputStream Serialization, poses a threat to users of the devices running Android versions earlier 5.0.

One of the operating system's components has an important feature of data processing, which is used by cybercriminals to perform various malicious actions on the infected device. It lies in the fact that the ObjectInputStream component, located in the luni/src/main/java/java/io/ system folder, does not check the received objects for the ability to support serialization.

Using this vulnerability, attackers can interfere with the operating system's work — for example, kill Android’s critical system processes.

Dr.Web anti-virus for Android can not affect this vulnerability, since it is located in one of the system components which are used to run the device, but it is able to prevent penetration and launch of the malicious programs, exploiting the detected feature, on a mobile phone or tablet. Consequently, users of Dr.Web Anti-virus for Android are protected from cybercriminals' actions. This vulnerability was fixed in Android 5.0 by operating system's developers.

Technical details

The serialization of objects in the Java programming language means the ability of the object and other objects, to which it refers, to transform into a byte array (e.g, in the form of an external file) for further storage and transmission. Subsequently, the serialized object can be restored from such copy into its original form.

This technology is mainly used for the "freezing" of an object or a group of objects using the output stream to save them on disk or transfer through the network, succeeded by the backward transformation into usable Java structures. The transformation is performed automatically using the ObjectInputStream and ObjectOutputStream classes if the Serializable interface is used when creating these classses. The serialization mechanism is widely used in the interprocess communication.

The vulnerability is that the attacker can create a sample of any object, that has the no-argument public constructor, from its serialized form, even if it does not meet the requirements for serialization. If this object has the finalize method, there is a call of this method, before its removing with the help of Garbage Collector. As a result, the code inside the object is being executed. Using this vulnerability, the hacker can attack for example Android system services in order to terminate them abnormally.

See also information about other vulnerabilities

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies