A flaw called "Stagefright" in Google's Android operating system could let hackers take over a phone with a message -- even if the user doesn't open it.
The flaw could "critically expose" 95 percent of Android devices, according to Zimperium, the security firm that discovered the vulnerability.
Stagefright, which Zimperium called the "mother of all Android vulnerabilities," allows people to send a video containing hidden malware to Android phones via a multimedia message (MMS) application.
For the default messenger app on most Android phones, users don't even have to play the video -- simply looking at the preview of the message will give hackers full access to the text messages and pictures stored on device, according to Zimperium. They would also be able to record audio and video using the phone's microphone and camera.
The company also tested the flaw with Google Hangouts. Because the app instantly processes the video for quicker viewing, receiving the message is enough to make a user vulnerable, the security firm said.
"You're sleeping at 2 a.m. You get a message and that's it -- your phone is infected," Zuk Avraham, founder and CTO of Zimperium, told NBC News. "You can wake up and not even know it happened. This is a very dangerous flaw."
Zimperium plans to reveal more details about Stagefright at the Black Hat security conference in Las Vegas next week.
Zimperium shared their findings and security patches with Google in April.
"The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," a Google spokesperson told NBC News in a statement.
Unlike Apple's iOS operating system, Android is used on a wide variety of phones built by different manufacturers, which complicates the process of getting security updates to everyone who may be at risk.
"A majority of phones don't get updated, unless users update their phones manually," Avraham said.
People using Android 2.2 and up are vulnerable, according to Zimperium, with those using versions prior to Jelly Bean at the greatest risk.
Related: Census Bureau Investigating Hack After Anonymous Leaks Data Online
The good news? If users do update their software, they are well-protected from hackers who might want to exploit the Android security flaw. Not that Zimperium has seen any cases of people being affected by Stagefright.
"We haven't seen this happen with our user base," Avraham said, "but that doesn't mean that these attacks are being executed in the wild."
