In Android versions prior to 5.0, java.io.ObjectInputStream did not check whether the Object that is being deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created. All fields of that instance can be set to arbitrary values. The malicious object will then typically either be ignored or cast to a type to which it doesn’t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object’s finalize method. Proof of concept code included.