Increasing the range of address-space layout randomization

Java runtime + all dynamically linked libraries NDK apps use. So even though you don't gain control over a privileged process like the mediaserver easily, you can still exploit libraries like stagefright (or libchromium_net.so from the Zygote document) to run (almost) arbitrary assembly and try to escalate privileges attacking the kernel or any other component you can interact with.