A vulnerability in Android's default Web browser lets attackers spoof the URL shown in the address bar, allowing for more credible phishing attacks.
Google released patches for the flaw in April, but many phones are likely still affected, because manufacturers and carriers typically are slow to develop and distribute Android patches.
The vulnerability was discovered by a researcher named Rafay Baloch and was privately reported to Google with the help of security firm Rapid7.
Baloch discovered the flaw on Android 5.0 Lollipop, which uses Chrome as its default browser, but then also confirmed it in the stock browser in older Android versions.
The issue stems from the browser's improper handling of error 204 "No Content" when returned by servers. The researcher created a proof-of-concept exploit that redirects the browser to a non-existent resource on www.google.com, but then loads a spoofed Google Account login page.
The browser patch for Chrome was distributed to Android Lollipop users through Google Play, but the fix for Android 4.4 (KitKat) will require an OS update whose availability will depend on device manufacturers and carriers, said Tod Beardsley, security research manager at Rapid7, via email.
According to Google's official statistics, almost 40 percent of Android devices that access Google Play are running Android 4.4 and only 10 percent run Android 5.x.
Android 4.4 users who haven't received an OS update recently should avoid using the stock browser to access sites that require authentication, Rapid7 said in an advisory. Chrome or other browsers that are updated through Google Play can be good alternatives.
Users who run Android versions older than 4.4 should stop using the Android stock browser, also known as the AOSP browser, anyway because Google will no longer release security patches for it.