It became apparent that there was no low hanging fruit or indeed any fruit that I could reach from the Android vulnerability tree that would get me the access I needed. At least not something that would cover both OS 4.2.2 and 4.4.2. I then focused my efforts into the specific OS build Samsung made for their tablet with all the bloat and hidden apps.

It's amazing how much stuff is running in the background of the tablet and it explains why it lags even after factory reset - there's Google stuff split into several apps, Samsung first party apps and all the partnership preloaded stuff that keeps growing in size with each new device and makes me feel like us users are the product.

I investigated all the preinstalled APKs focusing on keywords such as test, factory, debug,... and found a potential target: app with package name com.sec.factory deployed from DeviceTest.apk. It had system level permissions and its AndroidManifest.xml showed A LOT of potential entry points. It was the equivalent of chmod 777 * -R. It seems that Samsung engineers figured that some kind of root access was needed during device/OS development and testing and why not keep it in production builds, too, but protected by a custom Android permission? And best of all - a very similar app was present on both Jelly Bean and KitKat OS images.

The code quality was bad. It looked quickly put together with many complex relationships with other hidden preloaded apps in the form of private Activities, BroadcastReceivers and Services. Some of the test/debug features can be triggered through a special code entered in the Calculator app. I was overwhelmed but excited - I knew that they have forgotten something somewhere that would give me access!

A great paper on this: https://yajin.org/papers/ccs13_sefa.pdf