The news could not get worse. A week ago security firm BlueBoxannounced it had found a “master key” vulnerability – affecting 99%of Android phones – that theoretically would enable a cybercriminalto transform just about any app into malware.

On its face, that says almost all Android phones are tickingtime bombs and so the rumbling has started that just maybe creditunions and other financial institutions should politely but firmlyadvise their members to take their Androids elsewhere.

But there is more to this story and, indeed, Androidvulnerabilities are real but few security experts are urgingoutright bans.

For starters: Google now says it has rolled out a patch to its partners, which means phone makers and carrierswill shortly distribute the fix.

What's more, Jeff Forristal, chief technology officer atBlueBox, the company that discovered the Android vulnerability,said in an interview that, to his mind, a sharper question thanwould you use an Android is would you use a Windows computer foronline banking?

That's because of Zeus and other well-documented attacks on Windows.

Added Forristal: “Just because there is a potential for riskdoes not mean the risk will be realized.”

In the case of the master key vulnerability, Forristal stressed,“We have discovered no proof that this has been exploited.”

Most other experts sing the same tune: Android is fine, thoughusers need to practice safe surfing and downloading.

“Currently the infection rate for Android phones is much lowerthan the PC infection rate, making Android a much safer tool foronline banking,” said Alex Bobotek, co-chairman of the Messaging,Malware and Mobile Anti-Abuse Working Group, an industry body. Headded, “So here's the best safe mobile banking strategy: put apassword on your phone and think before you click.”

A fact: there are literally millions of Android apps infectedwith malware – the Anti-Phishing Working Group recently reportedover 1.3 million confirmed-malicious files for the platform – whilecomparable infection rates for iPhone apps is much lower, mainlybecause the Apple Apps Store is the only place to download apps,whereas Android apps are available anywhere.

That openness has given criminals a freedom to stock the pondwith bad apps. But many of these bad apps are available only inRussian, or Chinese, and infection rates in the U.S. are thought bymost experts to be much lower.

It's also simple to sidestep most of this malware, wherever itis.

“There are risks with Android,” stressed Rohit Sethi, a vicepresident at Security Compass. “But if you are careful the risksare overblown.”

He specifically cautioned users to only download apps from theleading Android apps stores –

Google Play and Amazon Appstore. Another precaution is only todownload apps that have already been downloaded thousands of times– there are risks in being a first adopter because often it isusers who sound the alert about bad Android apps.

Meantime, George Tubin, a security consultant with Trusteer, stressed that manyfinancial institutions are taking steps to proactively deliver moreprotection to mobile banking customers by implementing tools thatunobtrusively inspect a member's phone for installed malware thatcould compromise mobile banking sessions. Key to this is that thechecking happens behind the scenes, with no requirement for userinvolvement.

Take steps like that, said Tubin, and both the financialinstitution and its members can proceed with a high level ofconfidence in the safety of mobile banking sessions.

Bottom line: Android phones now claim over 50% of the smartphonemarket in the U.S. and, with hundreds of devices and availabilityat just about every price point, no expert is predictingsignificant share erosion. Android rules the smartphone world andthat means it is incumbent on credit unions to learn to live –safely – with them.