Google Patches Android Vulnerability

Google patches remote code execution Android Market vulnerability. Google has fixed a critical vulnerability in the Android Market Web site that allowed potential attackers to remotely install rogue apps on visitors’ devices.

The bug stemmed from a simple cross-site scripting (XSS) weakness in the form used to publish new applications and was discovered by a security researcher at Duo Security. He explained that insufficient input validation in the application description form allowed the insertion of malicious code in the resulting application page. The code could have been used to trigger a remote app installation procedure through the INSTALL_ASSET functionality. This type of installation, which is considered a feature of the Android Market, was criticized because it does not display any prompt on the user’s device asking for confirmation.
Source: Android-Market-Vulnerability-188116.shtml