Vulnerability Summary

Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google's Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).

Affected Platforms

Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.

Simplified Demonstration of the XFO Gap

The following Javascript is sufficient to elicit a response from the play.google.com domain without an appropriate XFO header:

document.body.innerHTML="<iframe src='https://play.google.com/store/apps/"+ (new Array(2000)).join('aaaaaaa')+"'></iframe>"

The following Ruby script also illustrates the lack of XFO:

require 'net/http' require 'uri' uri = URI.parse("https://play.google.com/#{"a" * 10000}") @r = Net::HTTP.get_response uri ret = @r.each_header {|x| puts x} if ret["x-frame-options"] puts ret["x-frame-options"] else puts "Missing x-frame-options!" end

Mitigations

Using a browser not susceptible to widely known UXSS vulnerabilities, such as Google Chrome, Mozilla Firefox, or the Dolphin Browser, can help mitigate the lack of universal XFO for the play.google.com domain. Not being logged into a Google account while using any browser is also an effective mitigation.

Metasploit module description

The Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.

Credit

The Play Store XFO vector was was reported by Joe Vennix of Rapid7, Inc., which leverages a UXSS vulnerability reported by Rafay Baloch.

Timeline

Dec 12, 2014 (Sat): Initial disclosure to security@android.com, assigned issue ID 4-2061000005664

Jan 07, 2015 (Wed): Disclosure to CERT/CC, assigned VU#715092

Feb 10, 2015 (Tue): Public Disclosure and Metasploit module landed