Enterprise Android owners are potentially at risk from a Qualcomm Secure Execution Environment (QSEE) vulnerability, according to Duo Security.
Duo Security said in a blog post that there are a lot of potentially harmful applications out there and that, while Google does its best to keep things clean, some things occasionally get through.
"Google's security processes prevent many attempts to load malicious applications, but it's not perfect. If an attacker could bypass the screening process with a legitimate-looking application, they could socially engineer users into installing the malicious app," the firm said.
"The likelihood of getting malicious code onto a device is very low, but all it takes is one ‘success' to get attack code in the Play store. This vulnerability could be exploited on 60 per cent of all Android phones seen by Duo."
The figure is based on a sample of 500,000 Android phones. Duo found that 27 per cent of Android phones in use by enterprises are too old to get monthly security and software updates, which is very bleak news for their security.
Duo explained that these phones will be vulnerable to the Qualcomm problem unless a major update is applied.
"This doesn't affect all phones running Android, but it does affect the vast majority that have Qualcomm processors," added the firm before suggesting some alternative options and some enterprise best practice.
"Using an endpoint visibility solution, administrators can detect devices with missing supported security updates and encourage users to update. Or warn and block users on outdated vulnerable devices to keep them from accessing your company's applications and data.
"Check for updates from Android. Make sure you only install apps from well-known companies. It's not always easy, and definitely not fool-proof."
We've asked Qualcomm if it has any comment on the situation but had no reply at the time of publication.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers