The majority of Android devices currently in use contain a vulnerability that allows malware to completely hijack installed apps and their data or even the entire device. The core problem is that Android fails to validate public key infrastructure certificate chains for app digital signatures, said Jeff Forristal, chief technology officer of Bluebox Security, a San Francisco company whose researchers discovered the issue.