Using a combination of vulnerabilities in the Google Play store and the Android stock browser, attackers can install malicious apps remotely on some Android devices.

The attack is the result of a failure on the part of Google’s Play Store Web application to completely enforce the X-Frame-Options header, a common defense against clickjacking and other attacks. Researchers at Rapid7 discovered that combining that weakness with an XSS flaw in another area of the Play Store, or a universal XSS in some Android browsers can allow an attacker to install and launch apps.

Developers at the Metasploit Project have added a module to the Metasploit Framework that can exploit these vulnerabilities on some Android devices.

This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection,” the documentation from Metasploit says.

“As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.”

Tod Beardsley of Rapid7 said in a blog post about the attack that users on vulnerable platforms who are always logged in to common Google services are especially at risk.

“Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected,” he said.

The module to exploit this attack is in Metasploit now, a circumstance that often is a precursor to a wave of attacks on a targeted vulnerability.