FireEye, a cybersecurity firm, has found a flaw in Android devices running Qualcomm chips. The vulnerability has existed in Android devices for the last five years, and it affects devices with Qualcomm processors running Android 4.3 and older Android systems. Devices running newer versions of Android take advantage of SEAndroid, but FireEye says they are still affected to some extent.

According to a FireEye blog post, “This vulnerability allows a seemingly benign application to access sensitive user data, including SMS and call history, and the ability to perform potentially sensitive actions, such as changing system settings or disabling the lock screen.”

FireEye informed Qualcomm of the bug in January, and Qualcomm released a fix by April, making it available to all vendors. Google pushed the fix to Nexus devices in May. Although Google secured its own Nexus devices, the company has no control over the rest of the Android ecosystem. Carriers and Android hardware vendors control software updates on their own Android devices, and users of these devices will remain vulnerable unless these companies update the software.