Palo Alto Networks has discovered a widespread vulnerability in Google's Android mobile operating system that allows attackers to hijack the installation of the Android Package File (APK) app on user devices and replace it with an app of the attacker's choice.
This occurs without the user's knowledge, the company said.
Palo Alto Networks estimated that this vulnerability is affecting by 49.5 per cent of current Android device users, allowing attackers to potentially distribute malware, compromise devices and steal user data.
The company has released an application that potentially helps affected Android users diagnose their devices.
The vulnerability was discovered by Palo Alto Networks' Unit 42 threat researcher, Zhi Xu.
The vulnerability exploits a flaw in Android's PackageInstaller system service, allowing attackers to silently gain unlimited permissions in compromised devices. It affects Android applications downloaded from third-party sources, and does not affect apps accessed from Google Play, the company said.
During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.
The vulnerability allows hackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user's device, including personal information and passwords.
While users believe they are installing a flashlight app or a mobile game with a well-defined and limited set of permissions, they are actually running potentially dangerous malware, the company said.
The Unit 42 team has worked with Google and Android device manufacturers such as Samsung and Amazon to protect users and patch the vulnerability in affected versions of Android. Although some older versions of Android may remain vulnerable, the company said.
Follow Byron Connolly on Twitter:@ByronConnolly