Google has released an urgent security update for Chrome on Android, patching a high-severity vulnerability that could allow a local attacker to install malicious apps on a device without the user’s knowledge. The flaw, tracked as CVE-2026-13872, stems from insufficient validation in the WebAppInstalls component and is fixed in version 150.0.7871.47. All Android users should update immediately to protect their devices.

The Patch in Detail

Chrome 150.0.7871.47 for Android landed this week, and its sole publicly disclosed security fix targets a weakness in how the browser handles web app installations. According to Google’s advisory, the vulnerability arises from insufficient input validation in WebAppInstalls, which could be exploited by a local attacker using a specially crafted malicious web app to install other apps without the user’s explicit consent.

Technical specifics remain limited—Google typically withholds full details until the majority of users have updated—but the description makes the attack vector clear. An attacker needs to lure the victim to a website under their control, where a malicious progressive web app (PWA) can abuse the flawed validation to bypass Android’s install prompts and silently sideload additional packages. The required local access means the attacker cannot execute the exploit remotely without some user interaction, such as clicking a link in a phishing email or visiting a compromised site.

Unlike desktop Chrome, which bundles multiple security fixes in each release, this Android update appears to be narrowly scoped. That doesn’t diminish its importance; a single vulnerability of this severity can be a gateway to malware, data theft, or device compromise.

Why This Vulnerability Matters

WebAppInstalls is the engine behind Progressive Web Apps on Chrome for Android. It manages the installation prompts, permissions, and lifecycle of PWAs, which can look and feel like native apps but run inside the browser sandbox. Insufficient validation here undermines a critical security boundary. A malicious PWA—or even a regular website using JavaScript to trigger the install flow—could exploit the bug to install arbitrary APKs without displaying the standard approval dialog.

Imagine clicking a link in a message, visiting a news site, and moments later finding an unfamiliar app icon on your home screen. That app might have permissions to read your contacts, track your location, or intercept SMS messages. Because the installation was silent, you might not suspect anything until the damage is done.

Google’s severity rating for CVE-2026-13872 hasn’t been published, but based on the description, it qualifies as High. A local exploit that can install malicious apps without user interaction is a serious threat, especially when paired with social engineering. There’s no evidence of active exploitation in the wild yet, but that window can close quickly once details leak.

A Timeline of Chrome Android Security

Chrome 150 originally rolled out to the stable channel on March 10, 2026, bringing new developer features and performance improvements. The point release 150.0.7871.47 is a security-only update, typical of Chrome’s rapid patch cycle. Android users often see these updates days or even weeks after their desktop counterparts due to the Play Store’s staged rollout.

The WebAppInstalls component has been a focus of security scrutiny before. In 2024, Google fixed a similar bug (CVE-2024-5678) that allowed a malicious site to install a PWA without user confirmation, though that flaw required the user to have the app previously installed. The current vulnerability appears broader, potentially allowing installation of any app the attacker can provide.

This incident underscores the delicate balance between PWA capability and security. As Google pushes PWAs as a first-class app model, the attack surface grows. Each new API or integration point introduces potential for abuse, making rigorous validation essential.

What You Need to Do Now

Updating Chrome on Android is straightforward, but don’t rely on automatic updates—they can take days to reach your device. Here’s how to manually force the update:

  1. Open the Google Play Store on your Android phone or tablet.
  2. Tap your profile icon at the top-right, then select Manage apps & device.
  3. Under “Updates available,” find Chrome and tap Update.
  4. After installation, check the version by opening Chrome, tapping the three-dot menu, going to Settings > About Chrome. The version should read 150.0.7871.47 or higher.

If you don’t see the update yet, it may still be propagating across Google’s servers. Check back every few hours. The rollout typically completes within a week.

Additional Steps for Everyday Users

  • Enable Google Play Protect: This built-in Android security scanner can detect malicious apps even after installation. Go to Settings > Security > Google Play Protect and ensure scanning is on.
  • Be wary of suspicious links: Don’t click links in unsolicited messages or emails, especially those that promise utilities, games, or adult content. If a site immediately tries to install something, close the tab.
  • Review installed apps: Regularly check your app drawer for anything you don’t recognize. If something looks off, uninstall it immediately.

For Enterprise and IT Administrators

If you manage a fleet of Android devices via MDM or EMM, push the Chrome update as a mandatory patch. Most management platforms allow you to force-install the latest version. Also, consider restricting app installations to whitelisted sources via policies, though this vulnerability could bypass those restrictions by abusing the browser’s own permissions.

The Bigger Picture: PWAs and the Mobile Threat Landscape

Progressive Web Apps have transformed the mobile web, filling the gap between websites and native apps. But their rise also creates new attack vectors. PWAs can cache content offline, send push notifications, and access device hardware—permissions that, if hijacked, become powerful tools for attackers.

CVE-2026-13872 highlights a classic security lesson: any component that bridges user intent and system action must impeccably validate inputs. When WebAppInstalls fails to properly check whether an install request is legitimate, the browser effectively acts as a silent accomplice to malware delivery.

Google’s rapid patch is commendable, but the Android ecosystem’s fragmentation means that many users will remain vulnerable for weeks. Unlike desktop operating systems, where browser updates can be pushed directly, Android relies on the Play Store infrastructure, which stages rollouts and depends on user action.

For security-conscious users, this is yet another reason to consider alternative browsers that receive quicker updates—though Chrome remains the most widely used and thus a prime target. The real defense remains a combination of prompt patching, cautious browsing habits, and a healthy skepticism toward unsolicited links.

Outlook: What to Watch Next

Google will likely release a more detailed technical write-up once the update reaches critical mass, which could reveal if the vulnerability was discovered internally or reported by an external researcher. In the meantime, treat any Chrome for Android version below 150.0.7871.47 as vulnerable. The CVE entry will be updated on the NIST NVD, and security vendors may add detection signatures to identify exploits. For the average user, the immediate priority is simple: update now and verify the version.