Silent but violent: Foul Google Play flaw lets hackers emit smelly apps

A couple of related vulnerabilities on the Google Play Store have left Android users vulnerable to malware-slingers.

Security watchers warn that an X-Frame-Options flaw – when combined with a recent Android WebView (Jelly Bean) bug – creates a means for hackers to silently install any app from the Google Play store.

Tod Beardsley, engineering manager at Rapid7, the firm behind the Metasploit penetration testing tool, explained that many devices running installations of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS [Universal Cross-site Scripting] exposures.

"Users of these platforms may also have installed vulnerable aftermarket browsers. Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable."

Using a browser not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox – can help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain. Not logging into the Google Play store is another effective way of avoiding the vulnerability.

The Play Store XFO issue was was reported by Joe Vennix of Rapid7. The Metasploit firm went public with the issue on Tuesday with the publication of an advisory, accompanied by a Metasploit module that helps enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. The Register has asked Google for comment and will update this story as soon as we hear more. ®