Google Play flaw opens Android devices to silent malware installation

Android users are in danger of getting malicious apps silently installed on their devices by attackers, warns Rapid7’s Tod Beardsley, technical lead for the Metasploit Framework.

“Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google’s Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK),” he noted.

The danger is especially great for users who are constantly signed into Google services.

Rapid7 has created a Metasploit module that can be used to test Android devices for the two vulnerabilities.

“First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection,” Beardsley explained.

“As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.”

The Play Store XFO vector has been discovered by Metasploit developer Joe Vennix, and Google has apparently been made aware of it.

Until they fix the flaw(s), users can protect themselves against this type of attack by switching to a browser that’s not vulnerable (such as Google Chrome and Mozilla Firefox) or by logging out of their Google account while using a vulnerable browser.