“We suggest that smartphone owners only use apps provided by the official stores and avoid installing them from untrustworthy sources,” Zhang said.

Social media sites that allow people to sign in using their pre-existing accounts on Facebook, Twitter or another third-party site represent the second danger area, said Professor Lau Wing Cheong, one of Zhang’s colleagues who headed up a second research team.

To facilitate this, Instagram, LinkedIn and the two aforementioned sites use an authentication protocol called OAuth 2.0. 

It is also popular among Chinese social networks like microblogging site Weibo, Douban, which focuses on arts and cultural exchanges, and Renren, a platform once dubbed “China’s Facebook” that has since fallen on hard times. 

But a security flaw in the coding of this protocol allows the site to access the data of people’s previous social media accounts when they register, Lau said.

Lau said the team has “informed all the affected OSN [online social network] providers and proposed solutions that can be readily developed”. 

When the team discovered the Android bug, which proved effective in spite of phone-locking passwords, it also reached out to Google, Android’s developer. 

The US search engine giant responded by saying it had updated the system to make the devices almost impregnable when locked, but that the hacking risk remained whenever unlocked. 

Zhang said the team had not tested other operating systems yet such as Apple’s iOS.

Android dominates the market, accounting for 78 per cent of all smartphone users in the first quarter of 2015, according to the International Data Corporation. 

Facebook has 1.44 billion monthly active users while Twitter has 302 million, according to the companies’ official profiles