The hole was uncovered by security research firm Bluebox last week. The company said that it had reported the vulnerability, which affected all Android version since 1.6, to Google in February.
Each Android application has a cryptographic signature, which is supposed to ensure that the contents of an application have not been tampered with. However, the security hole means that attackers can modify the contents of an application but leave the signature intact.
This could mean that hackers could infect an Android device with all manner of malware. Bluebox went so far as to demonstrate the technique by modifying the system-level software information about an HTC device such that its name appeared in the baseband version string, which is normally controlled and configured by the system firmware.
Gina Scigliano, Google's Android Communications Manager confirmed that:
A patch has been provided to our partners -- some OEMs, like Samsung, are already shipping the fix to the Android devices.We'd expect that devices such as the Nexus 4, which run pure Android, will see the fix reach them faster than any other handsets.
While that aspect of Android fragmentation might worry owners of "regular" handsets with OEM specific loads, Scigliano added a confidence booster:
We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue -- and Verify Apps provides protection for Android users who download apps to their devices outside of Play.