Security researchers have found a security hole in the Google Play Store that allows cyber criminals or hackers to hijack a phone by installing and launching malicious applications remotely on Android devices.Tod Beardsley, technical lead for the Company Metasploit Framework discovered vulnerability and – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent. The users that are mainly affected are all users running Android version 4.3 Jelly bean or earlier versions of android which do not receive security updates from the Android security team for Webview, which allows users to read and render web pages on their phones. The vulnerability specifically on the browser is called a Universal Cross-site scripting attack, and the Google Play store is vulnerable to a Cross-site Scripting(XSS) flaw.These attacks are carried out through a web browser or browser extension to create an XSS condition, which ultimately allows scripts to be executed bypassing all security checks in the web browser. A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability.
Source: http://thehackernews.com/2015/02/hackers-can-remotely-install malware_12.html