UPDATE: Tuesday, July 28, 5:55 p.m. ET: Following our initial report, a Google spokesperson added a little more detail on which Android devices may be impacted as well as the overall implications of the exploit.



"This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users," the Google spokesperson told Mashable.



"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at Black Hat."

A major security flaw in some Android devices would only require the attacker to have your cell phone number, according to security research firm Zimperium.

The flaw involves a remote code execution that could be initiated by sending the target Android smartphone user a text message. The vulnerability, which targets a media playback system called Stagefright, could affect an estimated 950 million devices, the company's report warns. "Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep," it reads.

The frightening name of the exploit is actually derived from the media playback engine (the focus of the exploit) at the native level of Android, which is called "Stagefright."

"Attackers only need your mobile number," Zimperium's security report said on Monday. "Using [that] they can remotely execute code via a specially crafted media file delivered via MMS."

Even more troubling, the firm says that the message could be deleted before the user even gets to read it — with nothing but a notification appearing on the handset.

"Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a Trojaned phone," the report warns.

The firm claims that Android devices using versions prior to the Jelly Bean release — Froyo, Gingerbread and Ice Cream Sandwich, which together are currently used by an estimated 11% of Android users — are at the most risk. But even updated phones don't get a clean bill of health.

A security patch for the exploit was submitted to Google back in April, according to Zimperium founder and CTO Zuk Avraham. "The security issue could allow an attacker to gain full control of a device," Avraham told Mashable.

Screenshots taken on a Nexus 5 (hammerhead) running the latest version, Android Lollipop 5.1.1. Image: Zimperium screenshot

Once attackers have control of the Android device, according to Avraham, they could execute a number of functions — including turning on the handset's microphone and recording audio, taking and downloading photos on the phone, reading emails and Facebook messages and even rerouting phone calls.

"We thank [Zimperium research team member] Joshua Drake for his contributions," a Google spokesperson told Mashable. "The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device."

Avraham says a number of Android partners have been slow to apply the update. Still, Google does not appear to view the exploit as a major concern at this point.

"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," said the Google spokesperson. "Android devices also include an application sandbox designed to protect user data and other applications on the device."

Avraham says that his company hasn't seen any executions of the malicious code within its customer base, but noted that this doesn't mean it isn't being used elsewhere.

Drake will present his findings at the Black Hat USA conference in August, and may demonstrate how the exploit works during the event.