It looks like the Zimperium mobile security firm may have found the largest Google Android smartphone flaw, with an estimated 950 million phone owners at risk.
There is no user interaction required for the remote code execution vulnerability, and attackers simply need to know your mobile phone number.
"This happens even before the sound that you've received a message has even occurred," said Joshua Drake, cybersecurity researcher at Zimperium, in a statement published by NPR. "That's what makes it so dangerous. [It] could be absolutely silent. You may not even see anything."
Drake informed Google about the vulnerabilities - and provided potential fix ideas - to Google in April and May, saying the company acted quickly. It's now up to smartphone manufacturers to send updates to users.
Android is the No. 1 mobile operating system in the world, with 80 percent of smartphones running the free and open source OS. Expect more details when Drake presents his research during the Black Hat USA conference and DEF CON 23 next month.