A "master key" has been discovered by the security firm BlueBox that would allow cyber-thieves unblocked access to almost all Android phones, according to British news agency the BBC.
The "master key" acts as a bug that could exploit security weaknesses, allowing cyber attackers to do whatever they want from someone's phone, including steal data, eavesdrop or use it to send junk messages.
The weakness has been present since 2009 and is in all versions of the electronic device released since then, even though it was just recently discovered.
Google currently has no comment on the situation, according to the BBC.
The implications of the discovery are "huge," Jeff Forristal, of the BlueBox security agency, wrote on the BlueBox blog.
The weakness is a result of the way Android phones handle cryptographic verification of the programs installed in the phones. Androids use the cryptographic signatures to check that an app or program is legitimate and to ensure there hasn't been tampered with programs.
There is a method the security agency has discovered that allows the android device to be tricked into checking the signatures in such a way that malicious changes aren't detected.
An app or program that was written to exploit the bug could fully access the device with the same access that a legitimate or approved app or program would have.
"It can essentially take over the normal functioning of the phone and control any function thereof," Forristal, wrote. The company reported the bug to Google in February and is planning to reveal more information about the weakness at the Black Hat hacker conference in August.
The attack was replicated by the security firm Lookout, according to Marc Rogers, the principal security researcher there.
Google has added checking systems to its Play store to find any apps that have been tampered with, according to Rogers.
As of yet, any danger is hypothetical, as no evidence has been found that shows anyone has used the weakness for malicious means.