Researchers at the University of Leibniz and Philipps University of Marburg tested 13,500 popular apps in Google's Play store and found almost 8 percent failed to protect bank account and social media logins.
The insecure apps failed to implement standard scrambling systems, researchers said, allowing "man-in-the-middle" attacks to spy on data passed along when devices communicate with websites, the BBC reported Monday.
The experts said by creating a fake WiFi hotspot and using a specially created attack tool to spy on the data the apps sent, they were able to capture login details for online bank accounts, email services, social media sites and corporate networks.
They were also able to remotely disable security programs or fool them into labeling secure apps as infected, they said.
Some of the apps tested have been downloaded to smartphones millions of times, the researchers said.