A weakness that can cause all the data stored on Android smartphone handsets to be erased has been found.
Websites tricked users into activating malicious code by clicking on-screen phone numbers, Ravi Borgaonkar, from the Technical University Berlin, said.
No Android could tell the difference between actual phone numbers and USSD codes recognised by handsets as instructions to re-set or wipe its memory card, he wrote in a blog post.
Android maker Google has issued a fix.
Mr Borgaonkar is urging Android phone owners to ensure they have the latest updates.
Some of the malware, which activates a factory re-set, appeared to target only Samsung devices, he added.
And once a handset was wiped there was no way to restore the data.
But McAfee security expert Jimmy Shah said the bug was not particularly attractive to cybercriminals.
"There's no benefit to the attacker if they can't make money off it or they can't steal your data," he said.
"It's really not that useful."