Mobile security research firm FireEye has identified a flaw in the Android OS that means hackers could create apps that only require standard download permissions but can replace Android home screen icons with ones that direct users to phishing content.

By hiding behind normal app permissions the offending download would not even need to be reviewed by the user before installation. The vulnerability is not limited to Android devices running Android Open Source Project, which include Nexus 7, Samsung Galaxy S4 and HTC One.

To test its theory, the company created an attack scenario by building an app that used two standard permissions that query, insert or alter the system icon settings. Google Play did not prevent the app from being published and did not offer a warning before the installation.

Hui Xue, from FireEye, said: “We have found that certain normal permissions have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites.”

Google has acknowledged this issue and released the patch to its OEM partners, FireEye said in a blog post.