SAN FRANCISCO (KRON/CNN) — It may be the biggest flaw ever discovered involving smartphones. New research published Monday warns Android phones can get infected by merely receiving a picture via text message.

The potential problem can affect an estimated 950 million phones worldwide — about 95% of the Androids in use today, according to researchers.

The problem stems from the way Android phones analyze incoming text messages. Even before you open a message, the phone automatically processes incoming media files — including pictures, audio or video. That means a malware-embedded file can start infecting the phone as soon as it’s received, according Zimperium, a cyber security company that specializes in mobile devices.

If this sounds familiar, that’s because this Android flaw is similar to the recent Apple text hack.

But in that case, a text message with just the right characters could freeze an iPhone or force it to restart. According to cuber security experts, the Android flaw is potentially more damaging, because a hacker could gain complete control of the phone: wiping the device, accessing apps or secretly turning on the camera.

In a statement to CNNMoney, Google acknowledged the flaw. But it also assured consumers that Android has ways of limiting a hacker’s access to separate apps and phone functions. The concern is that hackers have managed to overcome these limitations in the past.

The bug affects any phone using Android software made in the last five years, according to Zimperium. That includes devices running Android’s Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat and Lollipop iterations (Google names its Android versions alphabetically after desserts).

Zimperium said it warned Google about the flaw on April 9 and even provided a fix. The company claims Google responded the very next day, assuring a patch would be shared with customers in the future.

Typically, in these situations, companies are given a 90-day grace period to issue a fix. It’s a rule even Google abides by when it finds flaws in others’ software.

But it’s been 109 days, and a fix still isn’t largely available, according to experts. That’s why Zimperium says it is now going public with the news.

The issue now is how quickly Google will manage to fix the flaw for everybody. While Apple is equipped to push out updates to all iPhones, Google can’t.

Critics say Google has a fractured distribution system that can get in the way of quick updates. Several entities stand in between the Mountain View-based internet giant and its users, and they routinely slow down the release of new software. The multiple parties include phone carriers, like AT&T and Verizon– and makers of physical devices, like Samsung– all of which need to work together to issue software updates, according to technology experts.

Google told CNNMoney it already sent a fix to its “partners.” However, it’s unclear if any of them have started pushing that out to users themselves.

For that very reason, Google recently put its own Nexus phones first in line to receive updates. This could be a test case that shows why it’s so important to receive updates quickly.

Chris Wysopal is a longtime hacker and now an executive at cybersecurity firm Veracode. He called this Android’s version of Heartbleed, the devastating bug that put millions of computer networks at serious risk last year.

“I’m interested to see if Google comes up with a way to update devices remotely,” he said. “Unless they can do that, we have a big disaster on our hands.”