Ah, I hadn't noticed that if you were already logged-in and had already entered CC information, that it uses an iframe lightbox, which you're right, naturally does not show a URL.
But then, they won't be entering any CC information without being at Google's domain. You only enter CC information at checkout.google.com, and it initiates a popup to go there if you are either not logged-in or don't have a CC entered.
So, as an attacker, all they're doing is getting you (the naïve user) to click a button that looks like Google's button, and since they've already gotten you to click on a button to begin with (to initiate the transaction) they've already gotten any clickjacking exploit you need out of the user.
I'm a bit confused - this is about in-app purchases for the web. Are you saying that on Android, a web in-app purchase shows a lightbox for adding a credit card and does not temporarily redirect to Google?
But then, they won't be entering any CC information without being at Google's domain. You only enter CC information at checkout.google.com, and it initiates a popup to go there if you are either not logged-in or don't have a CC entered.
So, as an attacker, all they're doing is getting you (the naïve user) to click a button that looks like Google's button, and since they've already gotten you to click on a button to begin with (to initiate the transaction) they've already gotten any clickjacking exploit you need out of the user.