“It’s really up to their imagination what they do once they get in”, said Joshua Drake, security researcher with Zimperium.

A major security flaw involving Android cell phones or tablets has the potential of giving hackers access to hundreds of million of users’ personal data. Essentially, it is a Trojan horse, and an attacker can compromise the phone. Then an attachment or download file would be sent to the phone via text.

The vulnerability affects Android devices running version 2.2 and later, which means practically all of the Android devices in use today are vulnerable.

New research suggests almost a billion Android phones are capable of being hacked simply by receiving a picture via text.

“[Upon] discovering the Stagefright vulnerability, we alerted Google and provided patches for the problem to help them begin the lengthy update process”. It’s possible users won’t even see the message that’s sent (a “specially modified MMS format message”) but only the alert, and the hackers will be in. All it takes is a 10-digit phone number and an MMS message; some hackers could even delete the message before a user sees it.

The code responsible, nicknamed as Stagefright, happens when video snippets attached to multimedia messages are skipped by android. According to CNN, Zimperium had notified Google about the bug on April 9.

Google released a statement in response to Forbes, thanking Drake for discovering the issues and for submitting patches to Google to fix the issues.

“This vulnerability was identified in a laboratory setting on older Android devices and as far as we know, no one has been affected”, she said.

Google, for its part, tells Android Central it owes Drake thanks “for his contributions” and that “most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more hard”.