Researcher Tod Beardsley, wrote on the blog post that the web application of Google play Store supports X-Frame-Options (XFO) and the lack of complete coverage for XFO , attackers can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>,<iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
The device which is running on Android 4.3 jelly bean and earlier version, browsers ship with UXSS exposures, is affected by the bug. Users are having habitually signed into Google services, such as Gmail or YouTube are the the ones most at risk.
Rapid7 team have develop a Metasploit module combine two vulnerabilities which gives an attacker to execute code remotely on the affected Android devices. Researchers explained that -
"First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device."