Ade Barkah discovered that an incorrect time setting can enable photos to be viewed on a locked device.
Many home Wi-Fi networks are at risk thanks to an exploit released over the holidays, but enterprise organizations are generally unaffected by the vulnerability.
The malware sends the phone model and number, Android version, and IMEI number to a remote server.
The malicious software is detected by Kaspersky as Trojan-SMS.AndroidOS.Scavir.
The WPS attack tool was released this week by Tactical Network Solutions.
The vulnerability has been tested and confirmed on several Windows Phone devices.
According to Veracode, 40 percent of Android apps contain at least one instance of hard-coded cryptographic keys.
The new services offering is intended to help organizations assess and mitigate the risk associated with deployment and use of mobile devices.
The vulnerability can enable attackers to record conversations and monitor location data.