Android versions prior to 5.0 suffer from a remote SQL injection vulnerability in the opt module WAPPushManager.
18706be9be8033c24e8c2f06033de0b992c7dd3941e112ef9d8ce5cecd8fdef9
Android versions prior to 5.0 allow an unprivileged application the ability to resend all the SMS's stored in the users phone.
9954c7e735f97d8deaa62bdd4dd7a93cbbb3e11d2057e1ba006ba091a07683fc
In Android versions prior to 5.0 and possibly greater than and equal to 4.0, Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party applications. Due to this, a malicious app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid.
cfc2aeebb8ce7b28e800f8cd2c1a2ef4f012afd9da67892dea7842b3fef42e7c