The Israeli security firm NorthBit has demonstrated an exploit that could allow hackers to access data and functions on a wide range of versions of Android, after users access malicious websites. The vulnerability that makes the hack possible exploits an Android code library called “Stagefright,” which processes several media formats. It was discovered last year, but apparently Google (GOOG) didn’t fix the weakness in all versions of Android.
As reported by Ars Technica, NorthBit has named its exploit “Metaphor.” Vulnerable versions of Android include versions 2.2 through 4.0, as well as 5.0 and 5.1. Altogether, about 275 million phones run those versions.
Get Data Sheet, Fortune’s technology newsletter.
The exploit does have two significant limiting factors. First, it has to execute different code to hijack each specific model of phone, making it more difficult for a hacker to deploy it at massive scale without building many different versions.
It is also effectively blocked in the latest version of Android, 6.0 Marshmallow, and Google has said a security patch released in October of 2015 protects some older installs.
For more on efforts to keep your phone secure, watch our video:
As Ars points out, however, updating to the latest operating system is not easy or even possible on all Android phones, so the best security advice is still pretty much the oldest one in the book—don’t click on unknown web addresses from untrusted sources.
Update: Here is Google’s full statement on the issue: “Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”