Joe Vennix of Rapid7 identified The Play Store XFO vulnerability and the Metasploit firm went public with the issue on Tuesday with the publication of an advisory, accompanied by a Metasploit module that helps enterprise security bods test corporate-issued smartphones for exposure to the XFO vulnerability. Engineering manager at Rapid7, Tod Beardsley, with the firm that is behind the Metasploit penetration testing tool, explained that many devices running installations of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS [Universal Cross-site Scripting] exposures. Beardsley states, Beardsley goes on to explain that Remote code execution is achieved by leveraging two vulnerabilities on affected Android devices. Stating more details of the Metasploit module, So using a browser like Google Chrome or Mozilla Firefox which are not susceptible to widely known UXSS vulnerabilities and not Not logging into the Google Play store may help mitigate and avoid this vulnerability.
