A vulnerability that could affect 99 percent of the world’s Android-powered phones and tablets has been unearthed within the Google-owned platform. Since more than 900 million Android devices have been activated, we’re filing this in the ‘major vulnerability’ folder.

Bluebox Security says it found ‘the Android master key’ which could allow a hacker to turn virtually any Android app into a malicious “zombie”. In other words, malware could allow hackers to remotely capture data and control functions on a device — such as calls and messages — all without raising the attention of the phone owner, Google or the app developer.

In a post on the BlueBox Security blog, CTO Jeff Forristal explains that the vulnerability dates back to Android 1.6 (aka its four-year-old Donut build). Forristal revealed the company found a method by which a hacker could modify an app’s APK code without breaking the cryptographic signature used to authenticate it.

In order words, apps could be loaded with malware but appear legitimate on the outside.

Since verified apps are granted complete access to the Android system and all applications on a phone, the security weakness is potentially huge, although it remains theoretical since it is unclear how malicious apps and updates would be served to users.

Apps listed on the Google Play store are immune from this tampering, so a hacker would need to lure a user into downloading a malicious version of an app in other ways, perhaps via a third-party app store or fake app links. A phishing email with a link to a fake update for a popular app, for example, might generate some downloads.

This is yet another reason to stick to official apps stores for downloads, although some Android owners — particularly those in China, where the Google Play store is skeletal — do frequent third-party app stores, while the fragmentation of Android is a reason others download apps from the Web.

Bluebox Security reported the hole to Google in February — according to IDG — and already the issue has been fixed for the Samsung Galaxy S4, while Google’s own Nexus range is being looked at. Most worryingly, the issue could affect older devices that are no longer updated with new Android builds.

A report from Juniper released last month claimed that mobile malware is an increasingly profit-driven business. The research firm found that 92 percent of mobile malware targets the Android platform — according to its estimates, the number of malicious mobile malware jumped 614 percent between March 2012 and March 2013 to account for more than 250,000 apps.

Headline image via Thinkstock

Read next: BootstrapAccelerator Asia officially launches with 3 Malaysian startups for its July intake