Google Play, Browser Flaws Expose Android Devices to Remote Code Execution

Vulnerabilities plaguing Google Play and some Android Web browsers can be exploited by an attacker to remotely execute arbitrary code on smartphones, researchers warned on Tuesday.

According to security firm Rapid7, one of the problems is that Google Play (play.google.com) lacks appropriate X-Frame-Options (XFO) headers. These optional HTTP response headers are designed to protect against clickjacking and other types of attacks by preventing the web page from being displayed by other websites in a frame.

Rapid7 researcher Joe Vennix discovered that the Google Play Store fails to enforce a proper XFO header on some error pages.

By combining this security flaw with a recently discovered universal cross-site scripting (UXSS) vulnerability in the Web browser shipped with Android versions prior to 4.4 (KitKat), or an XSS bug in Google Play, an attacker can remotely install arbitrary Android application packages (APKs) on smartphones.

Trend Micro pointed out in September 2014 that the UXSS vulnerability found in the Android Open Source Project (AOSP) browser also affected tens of other Android Web browsers found on Google Play, so these too can be leveraged in an attack.

A Metasploit module made available by Rapid7 shows how these two security holes can be exploited for remote code execution on Android devices.

“[Exploitation of the vulnerabilities] leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device,” Rapid7’s Tod Beardsley explained in a blog post.

Attacks can be prevented by using a browser that is not vulnerable, such as Firefox and Chrome, or by logging out of the Google account when using an affected browser, Beardsley said.

The XFO header issue was reported to Google in December and to CERT/CC in January. UXSS vulnerabilities affecting the WebView component in the browser shipped with Android 4.3 and prior will most likely not be fixed because Google has determined that it’s not practical due to the size of the code.

“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices,” the search giant said last month.

Starting with Android 4.4, OEMs are able to quickly deliver WebView patches from Google to customers. The issue of patches has been further addressed with Android 5.0 Lollipop for which updates are pushed out directly through Google Play.

Some experts believe this decision will help in reducing the negative impact of Android fragmentation on security. However, Google’s own statistics show that nearly 60% of users still utilize Android versions prior to 4.4.