The flaw within Android devices was found by security researchers who say the bug was affecting the WebView component used by browsers like Google Chrome and Yandex, among many others. Instant apps on the Play Store allow for users to try out apps without actually downloading them, meaning only hardware components are used to run the apps while the storage section is not touched. Attackers take advantage of this by interrupting the path and putting a malicious app on the device–all while staying undetected. The apps are then able to spy for user information such as browser history, authentication tokens, and headers as well as perform various other tasks. Since the discovery of the bug, it is believed that it is the result of incorrect policy enforcement in browsers and Google has given it a high severity rating.
Analyst Notes
Users are suggested to update their mobile browser to a more up-to-date version due to the fact that KitKats latest release was four years ago. Users can also turn off Instant Apps which can help with the prevention of unwanted apps being placed on the device.
