Security researchers from Bluebox Labs have claimed that they have discovered a four year old Android bug that could be exploited by malware to disguise themselves as verified apps and take over a user’s device. The researchers claim that the bug allows malicious software to change the code of an APK file without leaving evidence, which means that all that a user will have to do to be affected is install the app on a device.

The Bluebox team says that the bug has existed since Android 1.6 (Donut). However, a hacker can’t distribute the modified app through Google Play as the app store has been patched to verify the contents of all apps downloaded. It still appears to be a serious problem because installing apps from third-party sources, where security measures can be lax, is quite popular among Android users. In fact, in the recent past, Facebook experimented with serving updates directly to Android devices without using the Play Store. Also, Android devices that haven’t been updated are at risk from this vulnerability. Once the malware is installed using the bug, a hacker could take over the user’s device, steal personal data or use the device as part of a botnet attack.