Bluebox says phones from last four years vulnerable.
Android applications are vulnerable to being impersonated by malware using fake software ID, according to mobile security firm Bluebox.
A patch for the bug was released by Google in April of this year, but unpatched Android systems from 2.1 to 4.4 are still said to be vulnerable.
Jeff Forristal, CTO at Bluebox, said: "Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability."
Signatures on Android work in a similar fashion to SSL (secure sockets layer) certificates used to encrypt information on the internet, and work through a PKI (public key infrastructure) identity certificate.
According to Bluebox, Android does not attempt to check the authenticity of a certificate chain by comparing a child certificate to the public certificate of the issuer, meaning hackers can bypass sandbox security that would otherwise detect malicious code.
"The problem is further compounded by the fact that multiple signers can sign an Android application, as long as each signer signs all the same application pieces," Forristal added.
"This allows a hacker to create a single malicious application that carries multiple fake identities at once."
A Google spokesman said: "We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users.
"At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."