Vulnerable Android applications are traditionally exploited via malicious apps. In this paper, we study an underexplored class of Android attacks which do not require the user to install malicious apps, but merely to visit a malicious website in an Android browser. We call them web-to-app injection (or W2AI) attacks, and distinguish between different categories of W2AI sideeffects. To estimate their prevalence, we present an automated W2AIScanner to find and confirm W2AI vulnerabilities. Analyzing real apps from the official Google Play store – we found 286 confirmed vulnerabilities in 134 distinct applications. Our findings suggest that these attacks are pervasive and developers do not adequately protect apps against them. Our tool employs a novel combination of static analysis and symbolic execution with dynamic testing. We show through experiments that this design significantly enhances the detection accuracy compared with an existing state-of-the-art analysis.