The vulnerability is reported to have been present since the release of Android 1.6.
Bluebox Labs, the research division of Bluebox Security, has discovered a vulnerability in Android’s security model that enables a hacker to modify APK code without breaking an application’s cryptographic signature.
The vulnerability, which has been present since the release of Android 1.6, also known as Donut, can turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone or the end user.
Bluebox CTO Jeff Forristal said: "The implications are huge!"
Forristal added that the vulnerability could affect any Android phone released in the last 4 years or about 900 million devices and,depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
Bluebox said that installation of a Trojan application from the device manufacturer can grant the application full access to Android systems and all applications and their data.
The application is able to read arbitrary application data on the device such as emails, SMS messages, documents and retrieve all stored accounts as well as service passwords.
The security firm noted that it apprised Google of this Android vulnerability in February of this year.
Bluebox said it will release tools and more information about the vulnerability at Blackhat USA 2013, which is scheduled to take place later this month.
Earlier this year, Bluebox Labs introduced Dexter, a free tool which helps researchers and enterprise security teams analyse applications for malware and vulnerabilities.