Android Vulnerability: Install App Without User Explicit Consent
March 10, 2014Trojan app contains a WebView that will automatically login into user’s Google account by requesting authtokens from the Account Manager, user will not be notified nor have any way to stop this. The WebView will load the Google Play web site and inject JavaScript code on page load. The JavaScript code will make a request to get the device information and CSRF tokens, it will get information about all devices registered with that account. Remember the browser is logged in with user’s Google account. Using this information it can issue a request to install ANY app on Google Play, on EVERY device registered with that Google account. The user will not be prompted and will not have any way to stop this.