A major vulnerability has been revealed in the Android source code, potentially giving hackers access to 95 per cent of Android devices using only their phone number.

The bug was discovered by mobile security firm Zimperium in the Stagefright media library processes of all Android releases since 2.2. The worrying part is that the vulnerability can be triggered via MMS, without requiring any interaction from the user.

The company claims this is “much worse” than the Heartbleed PC bug discovered last year, but its hard to say how much of a threat the bug really is. Zimperium doesnt seem to think that hackers are currently exploiting it, though they could certainly start doing so in future.

A software patch covering the vulnerability was developed back in April, when Zimperium search researcher Joshua Drake first uncovered the problem. The patches were accepted by Google at the time, but still havent been distributed to the majority of Android devices. Drake told NPR that somewhere between 20-50 per cent of devices will be patched – leaving millions potentially vulnerable.