Google security researchers often disclose severe security issues that affect various products or operating systems. While they might anger some of the company’s competitors in the process, Google does the same thing with its own software. The company just unearthed a severe security flaw that should have been patched all the way back in December 2017, and it could allow an attacker to spy on a victim’s device. The list of potentially affected devices includes several high-end handsets like the Pixel, Pixel 2, Galaxy S9, and Huawei P20 series. However, it’s not all bad news, as the company is already rolling out fixes. Furthermore, as dangerous as the flaw might be, it doesn’t allow remote access to a device without the prior installation of a different piece of malware.

The list of devices susceptible to the attack is even bigger, including older Galaxy S7 and S8 models, the Moto Z3, as well as handsets made by Xiaomi and Oppo. Google explains that the zero-day issue should have been patched in late 2017, but devices running Android 8 or later can be still affected by it.

Google also chose to disclose the security issue before it’ll be patched this month via security updates because there’s evidence the bug is currently being targetted in the wild:

We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7-day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Attackers would be able to use the vulnerability to gain root access to a device, in which case just about anything is possible. It’s unclear at this time who’s actively exploiting the flaw or for what purpose. Per ZDNet, Google’s Project Zero team discovered the vulnerability and Google’s Threat Analysis Group (TAG) found proof of real-world usage.

Again, this doesn’t mean that hackers can just tap your phone without having any prior interaction with it. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation,” an Android Open Source Project told ZDNet. “Any other vectors, such as via web browser, require chaining with an additional exploit.

The vulnerability has been linked to the NSO Group, a company from Israel known for selling surveillance tools that take advantage of similar exploits.

If you’re using one of the phones on the list, you should install the upcoming security update as soon as it’s made available. You can read more about the vulnerability on Google’s bug tracker website at this link.