Bluebox Security researchers recently uncovered an Android vulnerability that enables hackers to modify APK code without affecting the cryptographic signature of the application, allowing an attacker to turn any legitimate app into malware without the app store, device or user noticing the difference (h/t Computerworld).

The researchers say the vulnerability has been in place at least since the release of Android 1.6, and could affect any Android phone released in the last four years -- nearly 900 million mobile devices.

And the risk could be magnified if an app developed by a device manufacturer is modified. "Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed," Bluebox CTO Jeff Forristal noted in a blog post.

"The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)," Forristal added.

Even more disturbingly, Forristal noted, a hacker could also leverage the same vulnerability to create a botnet of infected devices.

Forristal plans to present technical details of the flaw, which was disclosed to Google in February, during a talk at Black Hat USA 2013 on August 1, 2013.