Security firm Symantec has discovered two applications, which are being distributed on Android marketplaces in China, exploiting master key vulnerabilities.
Symantec said both applications, which are used to find and make medical appointments, are legitimate but have been modified by hackers.
The apps, detected as Android.Skullkey, uses root commands to allow hackers to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages and disable a few Chinese mobile security applications.
The security firm said the attacker had modified the original Android application by adding an additional classes.dex file and Android manifest file.
Symantec said: "We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices."
The company has urged users to download applications only from reputable Android application marketplaces.
Earlier this month, security research firm BlueBox first reported the vulnerability in Android’s security model which enables a hacker to modify APK code without breaking an application’s cryptographic signature.
The vulnerability, which has been present since the release of Android 1.6, also known as Donut, can turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone or the end user.