The Android code has a hole that allows a hacker to modify a digitally signed Android application package file and not break its cryptographic signature - which would normally set off a red flag that something is amiss.
Security experts at Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas next month.
Some handset vendors have patched the problem and Google will release a patch to the Android Open Source Project (AOSP).
Bluebox chief technology officer Jeff Forristal said that the vulnerability affects multiple generations of Android devices for the last four years. Nearly 900 million devices are potentially affected.
The best case scenario is that an Android device would be jailbroken, but it is possible for an attacker to inject a legitimate application with malware that could enable the attacker to read sensitive data such as email, make phone calls, send SMS messages, or even retrieve passwords and account information.
Normally applications are digitally signed to establish or confirm the identity of the developer and the signatures and also to ensure that any future updates are issued only by the application's developer.
Applications developed and pre-installed by handset manufacturers that are platform-signed are granted system level access, one layer away from root access.
This means that if you can get your hands on a platform-issued application, you can get full access to the system and that includes applications, accounts, passwords, essentially everything the OS is in charge of handling.
Forristal told Threatpost that the fix is relatively painless and involves two lines of code in a very specific location. It requires a firmware update to the device, but fixing the bug is simple. It's more complicated to issue a firmware update.