It doesn’t get much scarier than this. Bluebox Security claimed to have discovered a vulnerability in Android’s security model that could allow attackers to convert 99 percent of all applications into Trojan malware. Google has told ZDNet that the hole has been patched and that it has been released to original equipment manufacturers (OEM)s. Bluebox Security CTO Jeff Forristal had said that this Master Key vulnerability has been “around at least since the release of Android 1.6, [and] could affect any Android phone released in the last four years — or nearly 900 million devices.” This security vulnerability is in how Android applications are verified and installed. Each application has a cryptographic signature, to ensure that the contents of an application have not been tampered with. The security hole, however, enables attackers to change the contents of an application while leaving the signature intact.