New Android Flow founded by a security firm bluebox , That flaw allow attacker to get access in 99% android devices . and can be used for anything like sending spam messages stealing personal information or financial info . bluebox posted on blog that there is a vulnerability in android security model and that vulnerability is in Android since 1.6 release with that vulnerability attacker can modify APK to turn and to perform like botnet without changing any cryptographic signature of APK . now 900 millions devices are vulnerable .
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
JEFF FORRISTAL will tell lot more about this flow at BlackHat USA 2013 . we have to wait for response of google at this point and how they fix this vulnerability , now Android remind me old windows xp days back in 2004 and 2005