A security flaw discovered in almost all Android devices means that post-1.6 versions of the OS could be open to intrusion.

The information was released by Bluebox Security, which claims that the "Android master key" makes 99 per cent of devices vulnerable – that's about 900 million devices.

The flaw is down to the way Android app updates are verified, as developers are able to modify the code of an app update without breaking the cryptographic signature. In other words, it's easy for them to hack in and put some nasty code in an app on the store that appears perfectly innocent.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," said Bluebox on the potential risks.

Paranoid Android

What's worse, the flaw has existed ever since Android 1.6. Bluebox claimed that the Samsung Galaxy S4 is the only device not prone to the problem, suggesting a patch may have already been installed on the phone.

Google, which was informed of the exploit in February and is said to have since notified its device partners, and apparently working on an update for its Nexus line, but the responsibility to create and dispatch the patch for other devices lies with their respective manufacturers.

We contacted Google for a response and will update if we hear more.

Via Venturebeat