Websites tricked users into activating malicious code by clicking on-screen phone numbers, Ravi Borgaonkar, from the Technical University Berlin, said.
No Android could tell the difference between actual phone numbers and USSD codes recognised by handsets as instructions to re-set or wipe its memory card, he wrote in a blog post.
Android maker Google has issued a fix.
Mr Borgaonkar is urging Android phone owners to ensure they have the latest updates.
Link to Original Source