November 16th, 2018
Google has had many malware issues over the past several weeks that are targeting Android devices but it seems like its own software, the Google Play Store also has some serious issues. Tod Beardsley, engineering manager at Rapid7 warns that an X-Frame-Options flaw which when combined with a recent Android WebView (Jelly Bean) bug (more about that bug here) creates a way for hackers to install apps onto users device without the users knowledge or consent.
This vulnerability affects users running Android 4.3 Jelly Bean and users that have installed third party browsers that are vulnerable to the UXSS attack.
There are actually ways you can reduce the risk of having an app installed without your permission. First of all we highly recommend you update your device to the latest Android version. Other then that, we also recommend you do not use any third party browsers, instead use Chrome or Mozilla Firefox for Android since both browsers are not susceptible to the widely known UXSS vulnerabilities.
In order for the vulnerability to install an app without your knowledge you will have to be logged into the Play Store, by making sure you don’t this could be an effective way of avoiding the vulnerability.