It's time for bad news, good news and more bad news.
Bad news: A security researcher has discovered a devastating vulnerability, dubbed BroadPwn, that can remotely compromise both Android devices and iPhones. Good news: Google has already issued an Android patch that fixes the flaw. More bad news: There's no fix for iPhones available, and unless you have a Pixel or Nexus phone, your Android device is still vulnerable too.
Information on the vulnerability comes from two sources: an Android security bulletin from July 5 and an abstract on a presentation scheduled for the upcoming Black Hat security conference (July 26-27) by Israeli researcher Nitay Artenstein. The flaw affects Broadcom Wi-Fi chips, hence its name, and could allow malefactors to hijack phones without any input on the owner’s part.
The exact details of how the vulnerability exploit works aren't available yet, but Artenstein and Google did provide a few hints. BroadPwn (or CVE-2017-9417, to use the official designation) takes advantage of the "mysterious, closed-source HNDRTE operating system," according to Artenstein's abstract. The flaw appears to affect Broadcom's BCM4354, 4358 and 4359 chips. A wide variety of phones use these chips to connect to Wi-Fi, including models from HTC, LG, Google, Samsung and Apple.
BroadPwn appears to be completely different from another Broadcom flaw, disclosed in April, that affected the Google Nexus 5, 6 and 6p, every iPhone since the iPhone 4 and most flagship Samsung phones. Apple (with iOS 10.3.1) and Google (with the April Android security bulletin) have patched the older flaw.
Google explained in the July Android security bulletin that BroadPwn could "execute arbitrary code within the context of the kernel," meaning that it could compromise a phone at the deepest level of software. Since you can't simply install an antivirus program for a Wi-Fi chipset the same way you can for a smartphone OS, the flaw could indeed be as devastating as Artenstein and Google suggested.
Apple has yet to issue any kind of statement on BroadPwn, which leaves many questions unresolved. It's not clear which iPhone models might be affected — most models since the iPhone 4 seem to use Broadcom chips — or whether Apple has already issued a patch. But the listed CVE number is not in Apple's three most recent iOS security bulletins, and given Apple's occasional tendency to drag its heels on security issues that it didn't discover itself, we'd give even odds that iPhones are not yet safe.
Furthermore, just because Google has issued an Android patch doesn’t mean that every Android phone will get it. Most phone manufacturers use slight variations on the Android OS for their handsets, and carriers then add additional modifications. When (or if) you get a BroadPwn patch will depend a lot more on Samsung, LG, Verizon and AT&T than it will on Google.
There's not much else you can do to protect yourself, since mobile antivirus software can’t prevent an attack at the level of a Wi-Fi chip. Google mentioned that it's not aware of the attack being used in the wild, so take solace that it's likely no one but Artenstein has figured out how to exploit it — yet. After Black Hat, all bets may be off.