The vulnerability, CVE-2016-2060, affects Android versions 4.3 and earlier that use the software package maintained by mobile chipmaker Qualcomm, according to a blog post published by security firm FireEye.
The issue was first introduced in 2011 when Qualcomm released a set of new APIs (Application Programming Interfaces) for a network manager system service to the Android Open Source Project (AOSP) and later the "netd" daemon.
Qualcomm modified the netd daemon for providing additional networking capabilities to your smartphone, including additional tethering capabilities, among other things.
But unfortunately, the modification introduced a critical bug to the Android operating system that could allow low-privileged apps to gain access to your private data that is supposed to be off-limits.
According to researchers, attackers can exploit the vulnerability either by gaining physical access to your unlocked smartphone or by forcing you to install a malicious application onto your smartphone, likely through phishing campaign or a malicious app that has made its way to the Google Play Store.
The flaw likely affects hundreds of Android models manufactured in the last five years using Qualcomm chips.
"This vulnerability allows a seemingly benign application to access sensitive user data including SMS and call history and the ability to perform potentially sensitive actions such as changing system settings or disabling the lock screen," FireEye researchers wrote.
Researchers said the vulnerability is most severe on devices running Android 4.3 Jelly Bean, and earlier, that are "likely to remain unpatched." The issue has also been confirmed on devices running Android 5.0 Lollipop and Android 4.4 KitKat.
However, newer devices running Android with SEAndroid, the Android's implementation of Security Enhanced Linux, are less affected, but a malicious application could still modify some system properties managed by the operating system.
The vulnerability was patched in the latest Android security patch update Google released on May 1. According to the tech giant, Nexus devices were never affected by the flaw.