Staff at Bluebox Security have discovered security hole within Android’s security model. The new security hole is said to affect up to 99 percent of existing Android devices. The vulnerability discovered has existed since Android 1.6 (Donut) and provides malicious app developers the ability to modify the code of a legitimate APK or application without breaking its cryptographic signature thus allowing the installation to go unnoticed. To execute the exploit, the app developer would need to trick a user into installing the malicious update.
Bluebox stated that it notified Google of the exploit in February and that the Galaxy S 4 as the only known device currently immune to the exploit.
Source: Bluebox Security