This vulnerability allows an app to install any number of apps with any type of permissions without user's explicit consent. It is based on two things:
One can build an Android app, let's call it Trojan, that requires these permissions:
android.permission.INTERNET - Allows applications to open network sockets. android.permission.GET_ACCOUNTS - Allows access to the list of accounts in the Accounts Service. android.permission.USE_CREDENTIALS - Allows an application to request authtokens from the AccountManager.
The Google fix, as far as I could tell, was to not allow the browser to automatically login. Instead, the user will be prompted with a text that says it would allow the app to have access to all Google data. This however does not inform the user that it will allow automatic installation of any app, potentially causing direct and immediate loss of money.
I will not release the PoC, I think it would be too easy to cause real damage. However it is not that difficult to implement.
2013-12-16 - Contact security(at)google.com. 2013-12-17 - Received reply that the issues was passed to security(at)android.com. 2013-12-20 - Received reply that they could not reproduce the issue. 2013-12-20 - Sent a stripped down version of the PoC, not much different. 2014-01-16 - Request status update. 2014-01-24 - Received response that the rollout of the fix started last week. 2014-02-12 - Received response that the fix is live for 100% users/devices.