It's a vulnerability on Android Webview component, which supports a "addJavascriptInterface" method. This method allows you to call the Java native method by using a Javascript object inside the webpage. And, there is a trick that can bypass the restriction on classes that JSInterface object could access. You can call any method in any Java class. Such as Java.lang.Runtime.exec. You can google "addJavascriptInterface vulnerability". It's not a new vulnerability, but lots of app haven't fix it yet.