A serious security flaw was found in nearly all Android devices with operating versions since 1.6, leaving it open to attackers to take over.

According to BlueBox, a security research firm, a master key could allow cyber-thieves autonomous access to nearly all Android phones. Therefore, approximately 900 million devices are affected by the serious possible breach.

If the bug is exploited, it could allow an attacker the ability to control the phone – send it spam messages, steal its information or even eavesdrop. And, this big loophole has been on nearly all Android operation system version since 2009.

Google has made no comment on the discovery BlueBox has made.

The flaw happens in the way the phone’s app updates are confirmed, allowing developers to change an app’s code update without breaking its cryptographic signature. Thus, a person can easily hack into it, installing a bad code into an app in the store that looks fine.

BlueBox has said the only device not subjected to the issue is the Samsung Galaxy S4, which suggests a patch may already be installed onto the phone.