The vulnerability lies in the way that the Google Admin application on Android phones handles some URLs. If another application on the phone sends the Admin app a specific kind of URL an attacker can bypass the Same Origin Policy and get data from the Admin sandbox.
“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,”the advisory from MWR Labs says.
Google did not respond to a request for comment on this story. The vulnerability affects the current version of the app, and may affect earlier versions as well.