Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google's Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).
Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.
R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)