While there isn’t a record of the attack actually happening in the wild, the vulnerability in Android versions 7.0 to 9.0 would give hackers “privileged access” to run malicious code on any Android device that had opened a malicious PNG image file.

Perhaps the scariest part of all? There’s probably no way people would know they had been targeted.

The Android security bulletin classified the threat as severe, “based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

The update mentioned that there has been no record of hackers actually pulling off the attack. Google was also, of course, deliberately vague on the technical details of how to hack Android.

The vulnerability has since been patched. However, Kathy Wang, director of security at GitLab, said if black hat hackers had learned of it first, it could have had serious consequences for Android users.

“In particular, the arbitrary code execution vulnerability is very serious, and Android could potentially benefit from employing tighter controls on approved apps and their subsequent updates,” she said. “It is a difficult balance between having a fully open contributor ecosystem versus keeping the approval process controlled, as Apple iOS mandates.”

While a patch has been rolled out, people who used Android devices made by third party companies will want to exercise caution and make sure they’ve downloaded the latest software updates, since it usually takes longer for Android security updates to be rolled out by Google’s partners.