Bluebox CTO Jeff Forristal said the flaw has been around since Android 1.6 Donut and affected any device released in the last four years or, as he claimed, 99% of all Android devices.
The risk is likely to be smaller than Forristal suggests, since a hacker would have to get their malware past Google's defences on the Google Play store, and there's no evidence to suggest anyone is actively exploiting the vulnerability.
The flaw exploits "discrepancies" in how Androids apps are cryptographically verified, said Forristal.
Android’s developer rules mean installed apps must be signed with a certificate, the key for which is held by the developer. Android uses that signature to determine whether an app’s code, or APK file, has been tampered with – anything without the signature certificate won’t install or run on a user’s device.
The signing system also means that any sensitive data stored by the app is only accessible to versions signed with the original developer’s key.
But flaws in that system means a hacker can change an app’s code without breaking the signature, and then trick Android into thinking an app is legitimate when it isn’t.
"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," said Forristal.
He pointed out that the risk becomes more serious if hackers modify preinstalled apps developed by the device manufacturer, giving them the same system privileges as the legitimate version.
"Installation of a trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed," he said.
That means a hacker gains access not just to personal data stored on apps, such as emails and texts, but also any stored passwords. They could also make calls, send messages, record calls or use the camera remotely.
Bluebox disclosed the vulnerability to Google in February, but said that it was up to individual handset manufacturers to issue patches. Google hasn't responded to a request for comment.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
