Researchers from Metaspolit have discovered a major flow on devices running Android 4.3 (Jelly Bean) & prior versions that no longer receive official security updates from Android security team for WebView. Webview is one of core component for Google store. Attackers can easily install the malware app and perform malicious actions.
Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google’s Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).”
Hence anyone who also installed aftermarket browsers are susceptible for this attack.In the pool of vulnerable versions, users who are habitually signed into Google services, such as Gmail or YouTube or others are at huge risk.
Metaspolit further states that ” The Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.”