Vulnerability Summary

Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google's Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).

https://community.rapid7.com/community/metasploit/blog/2015/02/10/r7-2015-02-google-play-store-x-frame-options-xfo-gaps-enable-android-remote-code-execution-rce