Vulnerability Summary
Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google's Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).
Affected Platforms
Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.
Simplified Demonstration of the XFO Gap
The following Javascript is sufficient to elicit a response from the play.google.com domain without an appropriate XFO header:
document.body.innerHTML="<iframe src='https://play.google.com/store/apps/"+
(new Array(2000)).join('aaaaaaa')+"'></iframe>"
The following Ruby script also illustrates the lack of XFO:
require 'net/http'
require 'uri'
uri = URI.parse("https://play.google.com/#{"a" * 10000}")
@r = Net::HTTP.get_response uri
ret = @r.each_header {|x| puts x}
if ret["x-frame-options"]
puts ret["x-frame-options"]
else
puts "Missing x-frame-options!"
end
Mitigations
Using a browser not susceptible to widely known UXSS vulnerabilities, such as Google Chrome, Mozilla Firefox, or the Dolphin Browser, can help mitigate the lack of universal XFO for the play.google.com domain. Not being logged into a Google account while using any browser is also an effective mitigation.
Metasploit module description
The Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.
Credit
The Play Store XFO vector was was reported by Joe Vennix of Rapid7, Inc., which leverages a UXSS vulnerability reported by Rafay Baloch.
Timeline
Dec 12, 2014 (Sat): Initial disclosure to security@android.com, assigned issue ID 4-2061000005664
Jan 07, 2015 (Wed): Disclosure to CERT/CC, assigned VU#715092
Feb 10, 2015 (Tue): Public Disclosure and Metasploit module landed