MJ Keith of Alert Logic claims that hackers using the technique seen in this app code could stage a remote takeover of an Android mobile and install a variety of malware.
Infosecurity notes that Keith says that an Android user need only visit a malware-infected website for their handset to become infected.
This infection modus operandi appears to be similar to the 'onmouseover' flaw seen in September.
Commenting on the proof-of-concept code – which is apparently limited to port 2222 on a specific IP address beginning with 10 – the Heisse Online newswire says that a test with an HTC Desire running Android 2.1 caused a browser crash.
"Officially, the exploit only is only effective on Motorola's Droid 2.0.1, 2.1, and the test was successful on an emulation of 2.0 - 1.2", says the newswire.
Keith, meanwhile, says that his code uses a known flaw in the WebKit browser framework, and was originally only present in Apple's Safari and the Ubuntu Linux distribution.
WebKit, notes Heisse Online, is now used in Google's Chrome and in the Android operating system.
The good news is that the security flaw has been fixed in v2.2 of Google Android, but the German newswire makes the comment that, since Google has never published information on security holes and patches for Android, users remain unaware of potential threats.
"It is unclear why Google retains the information and several questions about this policy remain unanswered. It is possible the information is not published out of consideration for the manufacturers of smart phones who often take many months to produce updates and commonly use unofficial adaptations of Android to suit their particular hardware", it says.