A couple of months ago I wrote about an iPhone bug that allows users to unintentionally install rogue iPhone Apps (see post).
Well now Android users are getting hit with a similar attack. Ars technica is reporting that they have found an Android Installer hijacker (see article).
Like the iPhone bug, it only works if you install an app from somewhere other than the Google Play store. Like the iPhone bug, the vulnerability allows the user to think they are installing App A when in fact they are installing App B. The mechanics of how it works is different than the Apple bug, but both are related to inadequate validation of the installers at install time.
The bug was patched in Android 4.3_r0.9, but apparently some versions of 4.3 are still vulnerable. Android 4.4 and Lollipop (5.0) are not vulnerable.
Unfortunately like some other Android bugs, this means about 900 million phones or 49% of all Android users are vulnerable.
If you steer clear of third party app stores you will not have a problem, even if you are running a vulnerable version of the Andoid OS.