When a user goes to install and app, they are presented with "permissions" – actions that the app would like to carry out or certain parts of the phone that it wants to access such as your contacts. A user then clicks "next" and "install" if they want to download that app.
But a vulnerability exists in this process when the user is receiving the permission information. An attacker can modify the code in the background, changing the permissions of the app without the user knowing so that when they download what they thought was a legitimate piece of software instead turns out to be malicious.
"This Android vulnerability means users who think they're accessing legitimate applications with approved permissions may instead be exposed to data theft and malware," Ryan Olson, intelligence director at Palo Alto Networks, said in a statement.
The disclosure today follows recent security concerns over Android. A report by FireEye last month found that over five billion downloaded Android apps are vulnerable to being hacked.
Read MoreThis may be the biggest hacking threat to business
Palo Alto Networks' report says versions 4.3 and earlier of the Android operating system may contain this vulnerability. Android version 4.4 and higher versions have fixed the issue. Around half of the Android population could be affected.
The cybersecurity company uncovered the flaw in January 2014. In February it reported it to Google, in March it told Samsung and in September it notified Amazon. The public disclosure was made on Tuesday. Palo Alto Networks said it was working with Google as well as device manufacturers such as Samsung.
Google said in a statement that it had released a patch to fix the vulnerability in Android 4.3 and later. "The Android Security Team has not detected any attempts to exploit this vulnerability on user devices," the search giant added.
Amazon urged customers in a statement to move to the latest version of its app store.
Read MoreAmazon's video game platform just got hacked