New security vulnerability in Android allows hackers to take control of a smartphone by sending a text message. The worst part is that for the vast majority of Android users, there’s no fix yet. The researcher who detected the vulnerability claims that even the small number of people using Google’s own smartphones Nexus are vulnerable to some of the effects of the flaw.

The bug affects a part of the Android OS called Stagefright. The latter allows smartphones and tablets display media content. So, a malicious video can deliver a software which will run on the phone and potentially allow an attacker to obtain access to data on the phone and spy on the owner through camera and microphone.

The problem is that Google’s messaging app Hangouts automatically pre-processes received videos, so if the malicious video is sent as an MMS message, it will immediately take over the device before you even know about it, because in this case the user doesn’t actually have to play the video to be hacked. In respond, Google announced that the newer versions of Android protect users from the worst effects of the vulnerability. Security experts called the bug “Heartbleed for mobile”, referring to the flaw that put thousands of websites at risk a year ago.

The researcher who discovered the problem revealed its details to Google a few months ago and even provided patches for the errors. He set a condition of a 3-month embargo before he went public, giving Google enough time to fix the flaw. But this discovery highlighted another security problem with Android: the speed with which fixes are received by end users. Google, the developer of Android, cannot push patches to most of Android devices produced by other companies, and the manufacturers often have to negotiate with mobile network operators to send patches to end users.