Attackers can use gaps in the X-Frame Options (XFO) support on Google’s Play Store web application to remotely install malware onto users’ Android devices.
“A malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK),” explains security researcher Tod Beardsley, who posted an advisory about this new threat in the Rapid7 community forum.
Devices that run on Android Jellybean (4.3) and earlier are vulnerable to the XFO flaw as they ship with browsers that possess known UXSS exposures.
In recent weeks, Google announced that it would only be supporting Android Lollipop (5.0) and Kitkat (4.4). Jellybean and all earlier versions will no longer be receiving security updates for WebView from Google, meaning that millions of users could be exposed to the XFO vulnerability.
Using a Metasploit module, Beardsley was able to exploit a UXSS vulnerability in Android’s open source stock browser (the AOSP Browser) and other browsers installed on devices prior to Kitkat. Google’s web interface then failed to enforce XFO, which opened up Google Play’s remote installation feature to remote code execution, allowing the security researcher to install any Google app he chose onto the affected device.
At the same time, those individuals who are constantly signed into Google services on their Android devices, such as Gmail and YouTube, are most vulnerable to this particular flaw, according to the advisory.
It is recommended that users on affected platforms use a browser that does not have widely known UXSS vulnerabilities, such as Google Chrome or Mozilla Firefox, when browsing the Internet. Alternatively, they should log out of Google services when using the pre-installed Android browser.