Hackers said to be able to hijack web sessions and read emails.
A web browser bug affecting users running older versions of Android has been called "a privacy disaster" by security firm Rapid7.
The flaw is said to allow attackers to scrape email data or hijack a user’s session if a webmail page is left open while a victim accesses a malicious site on versions prior to Android 4.4, the latest edition.
Tod Beardsley, technical lead for Rapid7’s Metasploit Framework: "When this vulnerability was announced by [security researcher Rafay] Baloch, it was met with total silence."
"There has been no acknowledgement of the bug from Google, as far as we can tell."
The AOSP browser has been replaced by Chrome on newer Android devices, but still works on older models, and can be installed on the latest releases.
That said Android 4.4 seems to be unaffected, but those using older versions account for three-quarters of the overall Android market, according to figures released by Google.
CBR contacted Google for comment.