The team has so far identified 14 vulnerable HTML5-based apps from three types of mobile systems, including Android, iOS and Blackberry. Developers of those vulnerable apps have been informed and in an effort to give them time to fix the problem, researchers have decided not to disclose the names of the vulnerable apps.
"Imagine you're at the airport and you want to find the free Wi-Fi. When you scan, your phone is going to display the Wi-Fi access points. That could be an easy channel for a hacker to inject malicious worm code into your smartphone," Du says. "Once the worm takes control, it can duplicate itself, and send copies to your friends via SMS messages, multimedia file sharing, and other methods."
Researchers are currently working to develop solutions to help users and app developers detect and prevent such attacks.
Details of how attacks can occur this attack are described in a paper titled "XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps" that the team will present at the Mobile Security Technologies workshop in May.
Du and his team are continuing their research to see what other apps might be at risk.
"We are launching a large scale search in the Google Play market and expect to find more vulnerable apps," says Du. "By 2016, it's estimated that more than fifty percent of the mobile apps will be produced using HTML-5 technology. This is just a disaster waiting to happen," he adds.