Researchers at Trend Micro have uncovered a flaw in the Apache Cordova mobile API framework used by one in 20 Android applications, which could be exploited remotely by hackers.
Trend Micro mobile threats analyst Seven Shen reported uncovering the flaw in a threat advisory.
"We've discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behaviour of apps just by clicking a URL," read the advisory.
"Designated as CVE-2015-1835, this high-severity vulnerability affects all versions of Apache Cordova up to 4.0.1. Apache has released a security bulletin confirming the vulnerability.
"This means that the majority of Cordova-based apps, which accounts for 5.6 percent of all apps in Google Play, are prone to exploits."
The bug reportedly stems from a flaw in the way the framework handles app developer preferences.
"The vulnerability is found in a Cordova feature where secondary configuration variables (also known as 'preferences') could be set from intent bundles in the base activity," explained the Trend Micro advisory.
"Preferences are a set of variables reserved for developers to configure their apps. They are the sources of the build-in characteristics of Cordova-based apps and should be controlled only by app developers.
"Any tampering with these variables during runtime initialisation will certainly mess up the app's normal behaviour."
The flaw can reportedly be exploited for a variety of purposes, including tampering with the UI's appearance, injecting pop-ups, texts and splash screens, modifying basic functionalities and crashing the app.
Trend Micro has already published proof-of-concept attacks targeting the flaw.
The firm said that it has alerted Apache to the flaw, but urged developers to manually adjust the preferences for their applications ahead of a full fix.
"We privately disclosed this vulnerability to Apache, and they have released an official bulletin," said Trend Micro.
"We suggest Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability."
The Apache flaw is one of many recently uncovered mobile threats. Researchers at SourceDNA uncovered an AFNetworking SSL flaw in April in at least 25,000 iOS applications, leaving iPhone and iPad users open to man-in-the-middle attacks.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition