Duo Security researcher Kyle Lady says attackers can compromise more than half of enterprise Android phones by chaining two operating system and chip vulnerabilities.
The flaws affect scores of phones on the market from the most popular Lollipop version 5 Android system, second-placed KitKat version 4.4, and the barely-used modern Marshmallow version 6.
Some 60 percent of enterprise Android phones are affected based on tests of half a million phones.
Affected users can apply a January patch if one is available, although Android handsets other than Nexus units are locked into custom vendor ROMs and as such must hope manufacturers will distribute Google's security updates.
About 27 per cent of those devices were Android relics and so old they could not be owned using the attacks.
"If an attacker can get a user to run a malicious app on an affected Android device, the attacker can gain complete control over the entire device by exploiting this QSEE vulnerability," Lady says.
"This attack requires exploiting some vulnerability in mediaserver, and we’re assuming that the attacker has one, given how frequently critical or high severity bugs in mediaserver are found and patched.
"While the likelihood of getting malicious code onto a device is very low, all it takes is one success to get attack code in the Play Store."
Users need to download an attacker's app to be compromised, a gaffe which could be considered game-over regardless of any vulnerabilities in Android.
Malware developers are constantly finding success in uploading malicious applications to the Google Play Store, slipping undetected past Mountain View's security checks.
From there it exploits functions like accessibility, screen overlay, and root rights. The Marshmallow platform is much more hardened than Lollipop and significantly more so than Kitkat.
Now Lady (@kylelady) says a Qualcomm Secure Execution Environment (QSEE) vulnerability (CVE-2015-6639) colleague Gal Beniamini (@laginimaineb) reported earlier this month affects scores of enterprise Android phones.
Lady says the attacks are not of the heightened risk level of the seemingly-immortal Stagefright vulnerability which can compromise Android phones with little more than a phone number.
About one in 200 phones contain an unwanted or malicious application in what could be an indication of the potential effectiveness of Beniamini's attack. ®