Almost one billion Android devices are affected by a serious security flaw which could give attackers complete access to a phone's data and hardware including the camera.
The vulnerability was uncovered by researchers from Check Point, an international cyber security company. The bug was dubbed “Quadrooter”.
It affects all devices which use a Qualcomm chip – thought to be in around 900 million phones and tablets.
However, there is no evidence of the vulnerabilities currently being used in attacks by cyberthieves.
"I'm pretty sure you will see these vulnerabilities being used in the next three to four months," said Michael Shaulov, head of mobility product management at Checkpoint.
He said: “No-one at this point has a device that's fully secure. That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google."
An attacker would have to dupe a victim into installing a malicious app on the phone, by sending them a link to download for example. The app would not require special permissions, allowing a hacker 'root' access. That means they could see all data and use the camera and microphone.
Checkpoint handed information about the bugs and proof of concept code to Qualcomm earlier this year. In response, Qualcomm is believed to have created patches for the bugs and started to use the fixed versions in its factories.
The list of popular affected devices includes but it not limited to, BlackBerry Priv and Dtek50, Google Nexus 5X, Nexus 6, Nexus 6P, LG G4, LG G5, LG V10, Sony Xperia Z Ultram, HTC One, HTC M9, HTC 10, Blackphone 1 and Blackphone 2.
Qualcomm has also distributed the patches to phone makers and operators. However, it is not clear how many of those companies have issued updates to customers' phones. The agencies do not believe patches are created quickly enough, leaving smartphone users vulnerable.