A vulnerability in Google's Android mobile operating system allows attackers to hijack the installation of a seemingly safe Android application -- Android Package File (APK) -- on user devices, and replace it with an app of the attacker's choice, without user knowledge. Discovered by security firm Palo Alto Networks, the vulnerability, is estimated to affect about 49.5 percent of current Android device users. It allows attackers to potentially distribute malware, compromise devices and steal user data.

According to Palo Alto Networks researcher Zhi Xu, the vulnerability exploits a flaw in Android's "PackageInstaller" system service, allowing attackers to silently gain unlimited permissions in compromised devices.

During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.

This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user's device, including personal information and passwords.

While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware.

The vulnerability affects Android applications downloaded from third-party sources, and does not affect applications accessed from Google Play.

Google and Android device manufacturers such as Samsung and Amazon are aware of the issue and plan to patch the vulnerability in affected versions of Android. But some older-version Android devices may remain vulnerable.