Silent but violent: Foul Google Play flaw lets hackers emit smelly apps

Say it with us: 'Permissionless sharing'


A couple of related vulnerabilities on the Google Play Store have left Android users vulnerable to malware-slingers.

Security watchers warn that an X-Frame-Options flaw – when combined with a recent Android WebView (Jelly Bean) bug – creates a means for hackers to silently install any app from the Google Play store.

Tod Beardsley, engineering manager at Rapid7, the firm behind the Metasploit penetration testing tool, explained that many devices running installations of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS [Universal Cross-site Scripting] exposures.

"Users of these platforms may also have installed vulnerable aftermarket browsers. Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable."

Using a browser not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox – can help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain. Not logging into the Google Play store is another effective way of avoiding the vulnerability.

The Play Store XFO issue was was reported by Joe Vennix of Rapid7. The Metasploit firm went public with the issue on Tuesday with the publication of an advisory, accompanied by a Metasploit module that helps enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. The Register has asked Google for comment and will update this story as soon as we hear more. ®

Similar topics


Other stories you might like

  • Google shows off immersive maps, AR-flavored search, Pixel 7, and more
    Your essential de-hyped guide to what the Chocolate Factory teased at developer shindig

    Google IO Google I/O, the ad biz's annual developer conference, returned to the Shoreline Amphitheater in California's Mountain View on Wednesday, for the first time in three years. The gathering remained largely a remote event due to the persistence of COVID-19 though there were enough Googlers, partners, and assorted software developers in attendance to fill venue seats and punctuate important points with applause.

    Sundar Pichai, CEO of Google parent Alphabet, opened the keynote by sounding familiar themes. He leaned into the implied sentiment, "We're here to help," an increasingly iffy proposition in light of the many controversies facing the company.

    He said he wanted to explain how Google is advancing its mission in two ways, "by deepening our understanding of information so that we can turn it into knowledge and advancing the state of computing so that knowledge is easier to access no matter who or where you are."

    Continue reading
  • iOS, Android stores host more than 1.5 million 'abandoned' apps
    That's more than the total that are actively maintained, study claims

    A study has found more outdated apps in Apple's App Store and Google Play than actively updated ones. 

    Analytics biz Pixalate – the outfit behind the study, titled The Abandoned Mobile Apps Report – told The Register its figures appear "to support Apple's apparent desire to 'clean up' abandoned apps," despite the unpopularity of the announcement with developers. The iGiant last month threatened to wipe away software from its store that hasn't been updated for a significant period of time.

    The report consists of data from crawls of the Android and iOS app stores to look for what Pixalate classified as abandoned apps – those that have gone two or more years without an update. Between the two stores in the first quarter of 2022, Pixalate said it found more than 1.5 million abandoned apps, amounting to 33 percent of the more than five million apps it told The Register it examined. 

    Continue reading
  • Microsoft closes Windows LSA hole under active attack
    Plus many more flaws. And Adobe, Android, SAP join the bug-squashing frenzy

    Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That's seven critical bugs, 66 deemed important, and one ranked low severity.

    At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code.

    After April's astonishing 100-plus vulnerabilities, May's patching event seems tame by comparison. However, "this month makes up for it in severity and infrastructure headaches," Chris Hass, director of security at Automox, told The Register. "The big news is the critical vulnerabilities that need to be highlighted for immediate action."

    Continue reading
  • Engineer gets Windows 11 working on a Surface Duo
    So those hardware requirements for Microsoft's OS really are arbitrary

    Arch tinkerer Gustave Monce has demonstrated Windows 11 running on a first-generation Surface Duo.

    The Duo is famously an Android device but, fresh from showing that Windows 11 could be coaxed into running on a Lumia Windows Phone, Monce has worked his magic on Redmond's first effort at a foldable handset.

    While Monce's work on the Lumia 950XL was more of an intellectual exercise, getting both screens working on the Duo is undeniably impressive. His adventures have been well documented on Twitter, with the engineer observing: "I think there might be a performance ~~gap~~ ocean between this and the Lumia 950 XL. Crazy what 4 years did in terms of SoC performance. Oh and thermals are very good."

    Continue reading

Biting the hand that feeds IT © 1998–2022