"A master key' that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox." http://www.bbc.co.uk/news/technology-23179522
"The route that could have affected most users (the Play Store) has already been fixed and taken care of from Google. Basically, at this point the main way someone could be affected by this issue is from installing a bad APK file from outside the Play Store. This is something that far less than 99 percent of all Android users are doing." I guess there is a way to mess with the APK code without breaking the cryptographic signature that verifies it when installed. There will always be a way...
The only thing I have downloaded outside the play store is an update to tinyshark and the website that hosted the update is trustworthy, I hope