Security researchers claim they've found a nasty bug in the Android operating system which they say allows malicious trojans to masquerade as verified apps, hiding malware inside an existing program and leaving the user unaware. According to the security team at Bluebox Labs, the bug has existed since Android 1.6 Donut, and affects "99 percent" of devices on the platform.

Normally applications are verified by cryptographic signatures, so that modified updates will be rejected if the key doesn't match the one provided by the developer. But Bluebox claims it has found a way to modify an app's APK file without breaking its signature, potentially allowing malicious code to be installed if an attacker can find a way to send the user a modified software package.

How that distribution would actually occur is still theoretical. Exploiting via Google's Play Store isn't possible, since Google has already updated the platform. But a user could still be tricked or lured into installing a bogus update through other avenues, including third party app stores, phishing emails, or malicious websites. It's not known whether this vulnerability circumvents the "install from unknown sources" security setting in Android, though many users turned that on after Facebook briefly tested direct updates. A malicious firmware update posing as verified could also give an attacker full system access, allowing them to steal data or use the device as part of a botnet, if the exploit contains the right payload.

Samsung Galaxy S4 has been patched, but Nexus is still a work-in-progress

The bug is a slap in the face to users of older Android devices that have stopped receiving updates. This week, HTC announced it would discontinue updates for its One S, despite that the device is barely more than a year old. The Bluebox team says the vulnerability was disclosed to Google in February 2013, but it's up to manufacturers to implement individual device patches. Chief Technology Officer Jeff Forristal tells IDG that so far Samsung's new Galaxy S4 has been patched, but oddly, Google's Nexus line is still a work-in-progress. Bluebox will reveal the full details of its research later this month at the Black Hat security conference in Las Vegas.