A new security vulnerability in the Google Play Store has been discovered by researchers that allows hackers to remotely install apps on your smartphone without your knowledge or consent. See below for ways to protect yourself from this new security threat.
What is the security problem?
The security breach is achieved through spotty browser security and a critical flaw in the Play Store's web application. The Play Store X-Frame-Options (XFO) exploit was first discovered on February 10th by researchers at Rapid7.
The vulnerability is particularly nasty for Android devices running Android 4.3 Jelly Bean and earlier, as the web browsers they ship with are less secure than newer versions on more recent versions of Android. Obscure third-party browsers are also more likely to be affected.
How does it work?
The threat comes from either a Cross-Site Scripting (CSS) vulnerability or a Universal XSS weakness that is already well documented in older browsers. Being perpetually signed into various Google services is also a large part of the problem as these services can provide hackers access to the play.google.com domain when using an affected browser (even if you don't access the Play Store in the browser).
Here's the full explanation from Risk7:
The Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.
How do I protect myself?
To safeguard yourself against any possible risk of exposure to this security threat, you are advised to update your device to the latest version of Android and only use browsers not susceptible to widely known UXSS vulnerabilities like Google Chrome, Dolphin Browser and Mozilla Firefox.
Keep your browser apps updated and sign out of your Google accounts when browsing if you want to be extra cautious you are not affected. If you notice any apps have appeared on your device without your knowledge, be sure to look into further options to safeguard your privacy and data.
Have you been affected by hackers? What do you do to protect yourself?