The malicious software is detected by Kaspersky as Trojan-SMS.AndroidOS.Scavir.
The WPS attack tool was released this week by Tactical Network Solutions.
The vulnerability has been tested and confirmed on several Windows Phone devices.
According to Veracode, 40 percent of Android apps contain at least one instance of hard-coded cryptographic keys.
The new services offering is intended to help organizations assess and mitigate the risk associated with deployment and use of mobile devices.
The vulnerability can enable attackers to record conversations and monitor location data.
Using scientific methods, Symantec researchers aim to profile the IT threat landscape.