A 'master key' for Android phones that makes 99 per cent of all devices that run on the system vulnerable to cyber attack has been discovered by security firm Bluebox.
The loophole could give a hacker complete control of the phone, enabling them to steal data, record calls, retrieve account information and passwords and send junk messages.
The bug has been present in every version of the Android operating system since 2009, meaning up to 900 million devices could be affected.
The vulnerability stems from the cryptographic verification process used during the installation of applications which allows Android to determine whether an app is legitimate and has not been tampered with.
However, Bluebox researchers discovered that they could modify the APK code (used by Android to instal apps) without affecting the cryptographic signature.
This would allow a malicious author to trick Android into thinking the app is genuine, so creating a malicious Trojan that would go unnoticed by the app store, phone and user.
Writing in a blog post which outlined the findings, Jeff Forristal, Bluebox CTO said: "The implications are huge!...Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."
Forestal went on to say that the bug had been reported to Google in February, adding "It's up to device manufacturers to produce and release firmware updates for mobile devices."
There is no evidence that the loophole has been exploited by cyber thieves or hackers.