Ah, I hadn't noticed that if you were already logged-in and had already entered CC information, that it uses an iframe lightbox, which you're right, naturally does not show a URL.
But then, they won't be entering any CC information without being at Google's domain. You only enter CC information at checkout.google.com, and it initiates a popup to go there if you are either not logged-in or don't have a CC entered.
So, as an attacker, all they're doing is getting you (the naïve user) to click a button that looks like Google's button, and since they've already gotten you to click on a button to begin with (to initiate the transaction) they've already gotten any clickjacking exploit you need out of the user.
I'm a bit confused - this is about in-app purchases for the web. Are you saying that on Android, a web in-app purchase shows a lightbox for adding a credit card and does not temporarily redirect to Google?
