Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Google Play, Browser Flaws Expose Android Devices to Remote Code Execution

Vulnerabilities plaguing Google Play and some Android Web browsers can be exploited by an attacker to remotely execute arbitrary code on smartphones, researchers warned on Tuesday.

Vulnerabilities plaguing Google Play and some Android Web browsers can be exploited by an attacker to remotely execute arbitrary code on smartphones, researchers warned on Tuesday.

According to security firm Rapid7, one of the problems is that Google Play ( lacks appropriate X-Frame-Options (XFO) headers. These optional HTTP response headers are designed to protect against clickjacking and other types of attacks by preventing the web page from being displayed by other websites in a frame.

Rapid7 researcher Joe Vennix discovered that the Google Play Store fails to enforce a proper XFO header on some error pages.

By combining this security flaw with a recently discovered universal cross-site scripting (UXSS) vulnerability in the Web browser shipped with Android versions prior to 4.4 (KitKat), or an XSS bug in Google Play, an attacker can remotely install arbitrary Android application packages (APKs) on smartphones.

Trend Micro pointed out in September 2014 that the UXSS vulnerability found in the Android Open Source Project (AOSP) browser also affected tens of other Android Web browsers found on Google Play, so these too can be leveraged in an attack.

A Metasploit module made available by Rapid7 shows how these two security holes can be exploited for remote code execution on Android devices.

“[Exploitation of the vulnerabilities] leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device,” Rapid7’s Tod Beardsley explained in a blog post.

Advertisement. Scroll to continue reading.

Attacks can be prevented by using a browser that is not vulnerable, such as Firefox and Chrome, or by logging out of the Google account when using an affected browser, Beardsley said.

The XFO header issue was reported to Google in December and to CERT/CC in January. UXSS vulnerabilities affecting the WebView component in the browser shipped with Android 4.3 and prior will most likely not be fixed because Google has determined that it’s not practical due to the size of the code.

“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices,” the search giant said last month.

Starting with Android 4.4, OEMs are able to quickly deliver WebView patches from Google to customers. The issue of patches has been further addressed with Android 5.0 Lollipop for which updates are pushed out directly through Google Play.

Some experts believe this decision will help in reducing the negative impact of Android fragmentation on security. However, Google’s own statistics show that nearly 60% of users still utilize Android versions prior to 4.4.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.