The class loader is a fundamental component of the Java Virtual Machine, responsible for dynamically loading classes into an application's memory during runtime. The functionality of class loaders is outlined by the abstract ClassLoader class, with the PathClassLoader and DexClassLoader being some common implementations in the Android OS.

In the context of data transfer and object management, dynamic class loading becomes particularly relevant when dealing with Serializable and Parcelable objects, as the ClassLoader implementation plays a crucial role in reconstructing them. However, while the Android security model enforces isolation among running processes, nothing prevents an application from creating and maliciously using objects of another app. In fact, the practice of storing application resources and their code in world-readable directories, eases this process, since it allows any app to "borrow" the context of another and create class loader instances that can be used to construct Java objects with potentially unsafe content.

Android developers often overlook this contingency, placing undue trust to Java objects received from untrusted sources. In a typical scenario, an application handles such objects, without proper caution regarding their encapsulated data. Depending on the use of this data, such an oversight can lead to unpredicted behavior and under some circumstances, it can have serious security implications.

In this study, we demonstrate techniques and explore how third-party applications, without requiring any permission, can leverage the outlined behavior to craft and dispatch parcelable Java objects with malicious content, to other applications. We further illustrate, using practical examples, the severe security implications that this may have, underscoring the necessity for more vigilant and comprehensive security practices in Android application development.