Security researchers have found a series of security holes in almost a billion Android devices that use chipsets from Qualcomm.
The Check Point researchers said in a blog post on Sunday that attackers could use the flaws to gain root access to the device, which would mean gaining control over the phone or tablet and the data on it—a spy’s dream.
Check Point, which called the set of four holes “QuadRooter,” presented its findings at the Defcon 24 security conference. It said anyone could exploit the QuadRooter vulnerabilities by getting a malicious app onto the victim’s device, and this app would require no special permissions to do its thing.
Get Data Sheet, Fortune’s technology newsletter.
The flaws lie in the software drivers for Qualcomm’s (qcom) chipsets, which are found in approximately 900 million devices ranging from Motorola’s Moto X to Sony’s (sne) Xperia Z Ultra to Google’s (goog) own Nexus phones. Supposedly even secure handsets like BlackBerry’s (bbry) Priv and the Blackphone are affected.
Consumers can check whether if their Android devices are vulnerable by downloading a free app from Check Point. There has been no evidence that anyone has exploited the flaws yet.
“We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July,” Qualcomm said in a statement Monday.
As for whether users’ existing phones and tablets get protected, that’s down to the manufacturers—and many only push out software updates for their devices for a limited time. (Google has reportedly patched its Nexus phones.)
For more on Android, watch:
“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users,” Check Point’s researchers wrote. “Once available, the end users must then be sure to install these updates to protect their devices and data.”
This article was updated to include Qualcomm’s statement.