A mobile phone security company claims it has found a flaw that affects some 900 million Android devices, a flaw that could serve as a “master key” for hackers to turn any App into a Trojan.

The Bluebox Company says the flaw has been part of the Android operating system since Android v1.6 “Donut”.  The company estimates as many as 99 percent of Android devices in use are at risk of being exploited.  BlueBox reported finding the bug to Google in February, and is promising to release more information on “the master key” next month.

Any danger from this coding loophole seems to be theoretical, because a hacker would have to get infected apps past the Google Play Store.  And there is no evidence that any hackers or cyber-thieves are exploiting the flaw.

Google is not commenting on the report.  But the Samsung Galaxy S4 has already apparently been patched and it is likely that Google is working on a patch for the vulnerability.