PoC source code of Android Bug: 17356824.

diff of bug:https://android.googlesource.com/platform/packages/apps/Settings/+/37b58a4%5E%21/#F0

You can send broadcast to almost ANY reciever you want,even if it's a protect-broadcast or the reciever is a unexported/permission-limited one.

All the devices prior to Android 5.0 are affected.

demo video:http://v.youku.com/v_show/id_XODI1NTgxMDYw.html

more info: http://blogs.360.cn/360mobile/

http://retme.net/index.php/2014/11/14/broadAnywhere-bug-17356824.html

UPDATE(11.26):

Baidu X-Team report this bug,the CVE number is CVE-2014-8609: http://seclists.org/fulldisclosure/2014/Nov/81