Here's the basic idea: Every Android app has its own unique identity, and this particular vulnerability allows malware to copy that identity, so that it can impersonate your applications without you knowing. Bluebox researchers aptly nicknamed the vulnerability "Fake ID."
Worse, it affects almost all Android phones. Bluebox says the vulnerability dates back to the January 2010 release of Android 2.1 and affects all devices that are not patched for "Google bug 13678484," which was disclosed to Google and released for patching in April.
The root of this vulnerability lies in what's called a "certificate chain," in which encrypted certificates that verify the identities of Android apps can trust each other to communicate and share data. The vulnerability, however, makes it impossible to verify the authenticity of the certificate chain.
Bluebox outlined some of the implications of this exploit:
An attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.