Update: This article has been updated with a comment from Google.

Researchers have found a vulnerability in Android devices that allows hackers to access a device remotely without the owner ever knowing it was compromised. The flaw affects roughly 95 percent of Android devices running operating system version 2.2 to 5.1, according to cybersecurity firm Zimperium.

At fault is a media library (used to process media files) called Stagefright. Zimperium says it found multiple vulnerabilities in the framework. The company plans to present its research at the Black Hat 2015 security conference and at the hacking conference Def Con in August.

Using a person’s telephone number, hackers can send a media file via MMS that gives them entry into a device. What’s more, the owner of the device may never know. Hackers could conceivably send the trojan file while the device’s owner is sleeping, get access to their phone, and then delete any evidence the phone was hacked. Once the exploit is completed, a hacker can remotely operate a phone’s microphone, steal files, read emails, and get personal credentials.

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone,” says Zimperium chief technology officer Zuk Avraham.

Though Google has applied patches to Android Open Source Project, Zimperium says device owners should be proactive in updating their phones. Android owners can reach out to their telecom providers and device manufacturers to ensure their phones get the update.

Those with Silent Circle’s Blackphone running PrivatOS version 1.1.7 are already protected against the Stagefright vulnerability.

In a statement shared with VentureBeat, Google thanked the lead researcher who found the Stagefright vulnerability, Joshua Drake, and noted that most Android devices have technology in place to deter exploitation. You can read the full comment below.