Fortinet has warned Malaysian users that a critical vulnerability found in the Android operating system, Stagefright, could allow hackers to gain access to mobile devices with a single multimedia message (MMS).

In a statement, Fortinet said Stagefright is described as one of the worst ever Android vulnerabilities discovered to date.

"It allows phone hacking just by receiving a malicious MMS.

"What's most alarming is that the victim does not even need to open the message or watch the video to activate it and can attack any Android smartphone, tablet, or other devices running Android 2.2 or higher," said Fortinet's FortiGuard Labs Security Researcher, Ruchna Nigam.

She said this puts 95 per cent of Android devices at risk of being hijacked and the vulnerability is considered particularly serious, since it can be exploited without any user interaction.

"All an attacker needs is the victim's phone number to get the Stagefright exploit to work," added Nigam.

Alarmingly, she said this vulnerability also affects Mozilla Firefox, which makes use of the same library on all platforms, except Linux. It has been patched in Firefox version 38 and users are advised to upgrade their browser.