Android phones might be vulnerable to a hack that could occur just by receiving a text, a research firm claims. According to CNET, researcher Zimperium says most Android phones are vulnerable.

Zimperium found there is a flaw that exists in the media playback tool built into Android called Stagefright. Hackers could take advantage of this flaw by sending the phone a text message, allowing them to take complete control over the handset. This would allow hackers to steal any information they want from the phone, such as credit card numbers and passwords.

Zimperium told National Public Radio the hack has not yet been performed on phones, but in a blog post, Zimperium said over 95 percent of Android phones worldwide could be affected.

That's a lot of phones. For example, there were over 1 billion Android phones sold in 2014, according to Strategy Analytics, and even more phones are expected to be sold in 2015. Zimperium is calling Stagefright "the mother of all Android vulnerabilities."

Android has an open-based design, which makes it vulnerable to attacks, unlike Apple's iOS. Users like that they can customize the operating system, but it also makes it susceptible to attacks. In the first quarter, 99 percent of malware was designed for Android devices, according to the security firm F-Secure.

Once Android discovers vulnerabilities, they have to scramble to release fixes to multiple brands of devices and different carriers, and that is not an instant process.

Zimperium first discovered this security issue in April and was quick to inform Google about it.

"The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," a Google spokeswoman said. "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device." 

The malware is hidden inside a short video sent by a text message. Once the text is received, Stagefright tries to prepare the video for watching. This preparation process is enough for hackers to get into the system.

Google is trying to fight malware and security issues by offering rewards to researchers who are able to find bugs and security issues within the Android system.

Google is confident their operating system is secure. Zimperium plans to show how the Stagefright malware works at the Black Hat hacker conference in Vegas on Aug. 1.