Discovered in February by Rafay Baloch and disclosed Monday after it was fixed, the bug allowed the browser's address bar to be spoofed. That can be enough to convince a victim of a phishing email or text message to enter their usernames and passwords.
The bug was patched in early and then in later April. It affected Android 4.4 "KitKat" and Android 5.0 "Lollipop."
Rapid7, which detailed the flaw, said users should contact carriers or handset makers to ensure they received the patch.
But bad news for Apple, which now has to scramble to fix a similar flaw found in its Safari browser.
A proof-of-concept exploit was published Sunday that allows an attacker spoof the address bar in Safari on iPhones, iPads, and Macs. The exploit is far from perfect, as the browser can visibly be seen fighting the code to try to display the correct address.
It's not known if Apple, which did not immediately comment, is aware of the bug.
We reached out to the security researcher but did not hear back at the time of writing.