Researchers have added a module to the Metasploit Framework that can exploit these vulnerabilities on some Android devices. The attack is the result of a failure on the part of Google s Play Store Web application to completely enforce the X-Frame-Options header, a common defense against clickjacking and other attacks. Users on vulnerable platforms who are always logged in to common Google services are especially at risk, Rapid7 researchers say. The module exploits a universal XSS vulnerability in Android stock browser prior to 4.4.
Source: https://threatpost.com/google-play-bug-can-allow-code-execution/110989/