A bug was recently fixed in Android Lollipop that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.
Source: https://threatpost.com/nasty-security-bug-fixed-in-android-lollipop-5-0/109476/