A newly uncovered security flaw in Android could leave as many as 99 percent of the devices currently in circulation vulnerable.
According to a newly released report from Bluebox Security, there is a security flaw that has existed in Android since version 1.6, Donut. The security flaw allows app developers to modify the code of legitimate APK files without breaking the cryptographic signature, meaning that the files could still be loaded as coming from a trusted source. The malicious parties would need to trick someone into installing the software, but they could potentially masquerade as an update from the manufacturer, the most trusted of all software in the eyes of the majority of users. Luckily they wouldn't be able to push these out over the air (OTA), so that delivery method should still be considered to be safe.
Bluebox CTO Jeff Forristal says that it notified Google as early as this past Feb. of the security hole, but in an interview with CIO he said that only one third-party phone has thus far patched the issue, that being the Samsung Galaxy S4.
At this time it is unknown when any other security patches will roll out to fix the other Android devices in circulation, so the best bet is to make sure that you only download software from the most trusted sources such as the Google Play store or updates that arrive via OTA from your phone's manufacturer.