A flaw codenamed Android Installer Hijacking is leaving 50 percent of the operating system's users open to malware infection, according to researchers at Palo Alto Networks.
Palo Alto security researcher Zhi Xu reported in a threat advisory that the flaw affects devices running Android 4.3 and below.
"We discovered a widespread vulnerability in Google's Android OS we are calling ‘Android Installer Hijacking' estimated to impact 49.5 percent of all current Android users," read the advisory.
"Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores.
"The malicious application can gain full access to a compromised device, including usernames, passwords and sensitive data."
The flaw reportedly exists in the way older Android versions install applications.
"Third-party app stores and mobile advertisement libraries usually download Android packages (APK) files to unprotected local storage and install the APK files directly," explained the advisory.
"[The process uses] a system application called PackageInstaller to complete the installation. On affected platforms, we discovered that PackageInstaller has a ‘Time of Check' to ‘Time of Use' vulnerability.
"In layman's terms, that simply means that the APK file can be modified or replaced during installation without the user's knowledge."
Palo Alto said that the flaw is particularly dangerous as it could be used to exploit early versions of popular third-party marketplaces, including Amazon's and Samsung's app stores.
The firm added that it has been in contact with "all involved parties" to help plug the flaw. Google, Amazon and Samsung had not responded to V3's request for comment at the time of publishing.
Palo Alto has published a vulnerability scanner app for general Android users in the Google Play store, which has also been open sourced on GitHub.
The flaw's discovery has sent ripples through the security community and prompted the US Computer Emergency Readiness Team (US-CERT) to issue a separate advisory urging Android users to protect themselves.
"Devices running Android version 4.4 or later are not vulnerable," read the advisory.
"US-CERT advises users to ensure their devices are running an up-to-date version of Android and to use caution when installing software from third-party app stores."
Fragmentation in the Android ecosystem has been a constant threat to the operating system's enterprise appeal.
Google has taken steps to address the problem with Android for Work which features a custom application for early Android versions.
The app is compatible with Android 4.0 Ice Cream Sandwich and above, and creates a separate, secure managed area where employees can access approved mail, calendar, contacts, documents and web browsing work apps.
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps
OnePlus 3T canned to make way for imminent OnePlus 5 with Snapdragon 835, 8GB memory and dual camera
OnePlus 3T to be prematurely retired on 1 June - perhaps indicating plans for an imminent OnePlus 5 launch