A flaw called "Stagefright" in Google's Android operating system could let hackers take over a phone with a message -- even if the user doesn't open it, NBC News reported.
The flaw could "critically expose" 95 percent of Android devices, according to Zimperium, the security firm that discovered the vulnerability.
Stagefright, which Zimperium called the "mother of all Android vulnerabilities," allows people to send a video containing hidden malware to Android phones via a multimedia message (MMS) application. For the default messenger app on most Android phones, users don't even have to play the video.
"Patches have already been provided to partners that can be applied to any device," a Google spokesperson told NBC News in a statement.