The first known cases of hackers exploiting the Android 'Master Key' vulnerability have been discovered by researchers from Symantec.
The major security bug, which was first exposed earlier this month, has been used to infect two Chinese applications.
Hackers have added malicious code to the software, modifying them in such a way that smartphones with the affected apps installed can be controlled remotely.
According to Symantec, this malware, named 'Android.Skullkey', enables cyber-criminals to steal personal data and send premium text messages from compromised devices. They can also disable a number of Chinese mobile security software applications.
Though the compromised apps are legitimate, they both hail from Chinese Android marketplaces.
The enormous Android vulnerability was first uncovered by Bluebox Security in early July, which also confirmed that 99 per cent of Android devices – 900 million smartphones and tablets - were at risk of being hacked.
The flaw, which has existed for a staggering four years, enables attackers to gain complete access to an Android device's data, by modifying applications without breaking their cryptographic signature.
Users have been urgently advised to protect themselves against the flaw.
"We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices," said Symantec. "Symantec recommends users only download applications from reputable Android application marketplaces."
Apple last month posted a chart, highlighting the extent of Android's fragmentation, which has proved a blessing, as well as a curse, for the operating system.
This isn't welcome news for Google though, as it gears up for the launch of the Nexus 7 2 and Android 4.3. Follow the link above for ITProPortal's live coverage of the event.