Zimperium zLabs security researcher Joshua Drake discovered a series of flaws in Stagefright - Android's media playback engine - that have serious implications.
Zimperium described it as "Mother of all Android Vulnerabilities" - not only does it affect 95% of Android devices (the bugs are present as far back as Android 2.2, so as many as 950,000,000 phones could be affected), but no user interaction is required and it seems that conventional security software is unable to provide protection.
Exploits can be delivered in the form of an MMS (Multimedia Messaging Service) message. Depending on the app used to process MMSes, the message may be processed automatically as it is received. An exploit could then execute code (eg, to record audio or video) and steal data accessible to Stagefright (eg, photos on the SD card).
Where the Messenger app is used, the exploit runs when the message is looked at, even if the user does not play any of the content.
According to Symantec's Norton operation, a degree of protection can be achieved by disabling Auto Retrieve MMS in the relevant app, such as Messaging, Messenger, Google Chat or Google Hangout.
But "It is important to keep in mind, this is only a partial, temporary solution. Even with auto-retrieve MMS turned off, it is possible for a user to accidentally download a malicious message."
The real fix is to apply the necessary patch from the device manufacturer, but the problem is that phones running Android versions from 2.2 to 4.0 are historically less likely to receive updates and those operating systems lack refinements that make it harder to exploit vulnerabilities.
Symantec also warned that Norton Security does not provide protection against the Stagefright vulnerability.
According to Forbes, Google will push out patches to Nexus devices next week.
Other vendors have made vague statements about forthcoming updates, but unless your phone is quite new and running a very recent version of Android it is quite possible that the maker will quietly ignore it. For example, the Fake ID vulnerability disclosed this time last year is still present in a fully-updated Samsung Galaxy S3.
That's a worry, as Drake will be revealing details of the Stagefright vulnerabilities at the Black Hat and Defcon conferences next week.
Furthermore, MMS isn't the only way of exploiting the vulnerability: the Firefox browser has already been patched to prevent malicious video files reaching Stagefright.
Is anyone safe? Fixes have already been released for Silent Circle's Blackphone and for the CyanogenMod fork of Android. And as mentioned above, mitigations in Android 4.1 and later may make it harder to create reliable or effective exploits for the vulnerability.
And at this stage nobody seems to be claiming that there are any exploits in the wild, but that could change after Drake spills the beans next week.