The vulnerability resides in a popular XML parsing library “DocumentBuilderFactory,” used by Google’s Android Studio, JetBrains’ IntelliJ IDEA and Eclipse. It is triggered when a vulnerable Android development or reverse engineering tool decodes an application and tries to parse maliciously crafted “AndroidManifest.xml” file inside it. The vulnerability can also be used to inject arbitrary files anywhere on a targeted computer to achieve full remote code execution (RCE), which makes the attack surface-wide and various.
Source: https://thehackernews.com/2017/12/android-development-tools.html