I’ve previously discussed the extremely primitive state of mobile security, and really, it is like the picture of Dorian Grey — as your phones get newer and faster and shinier, the software under the hood gets older and weaker and more vulnerable. The Stagefright bug, affecting 950 million Android phones, is only the latest example of an increasingly horrible situation.

“Stagefright,” in this case, refers to a code library within Android that handles text messages. Receive a malicious text — in most scenarios, a picture text, or multimedia message (MMS) — and your phone is compromised, just like that. In fact, this vulnerability is scary enough that you don’t even need to open the malicious text message in order to receive the infection. A skilled attacker can even delete the infected message after you receive it. If you have an Android phone, it could have been hacked overnight, and you would never know.

The one ray of sunshine is that this hack was discovered by security researchers, not hackers, and has not yet appeared in the wild. As far as anyone knows, no one has been hacked via Stagefright. On the other hand, it is only a matter of time until Stagefright appears in the real world, due to the ineffective manner in which Android patches are handled.

There’s a reason why, according to IDC, the Android operating system has achieved a market share of almost eighty percent. Android is open-source, meaning that a smartphone manufacturer can use the OS on their devices essentially for free, and modify the software however they choose. This allows for some really crazy and inventive variations on Android, like supporting a curved screen, nonstandard apps, custom security features, and more. All this customization, however, has a hidden downside.

By making its software open-source, Google has surrendered the ability to directly update most phones that run Android. Google has written a patch that eliminates the Stagefright bug, but only updated the phones that it directly manufactures, the Nexus series. Other manufacturers are rolling out the patch, but as is typically the case, their newest, shiniest, and best-selling phones are first in line. If you have a model from a year or more ago, you could wait weeks to get the fix, or possibly never receive the patch at all.

News on this front continues to worsen. A research firm, Exodus Intelligence, reports that the development of the Stagefright patch was so rushed that the fix for the vulnerability might not actually work. Additionally, Forbes reports that another researcher, Evgeny Legerov, has discovered multiple similar zero-day exploits that involve the Stagefright code library.  This is bad news. One of the reasons why modern software development is so insecure is that developers will often use the same code library for different products.

For example, Stagefright is also used in the Mozilla Firefox web browser. While the specific Stagefright bug that this article discusses has already been patched in Firefox, if the Stagefright code library contains other vulnerabilities, then developers might be forced to play a long game of whack-a-mole in order to deal with these issues, or find some way to replace this library in its entirety.

All hope is not lost for users of unpatched mobile devices. Zimperium, the discoverer of the vulnerability, has published a few guidelines for ordinary users to protect themselves. For example, users can prevent their devices from automatically downloading messages by changing some settings on their Android device. They also recommend installing a custom Android operating system known as CyanogenMod, which is, ironically, updated much more frequently than phones supported by major carriers, especially for phones that might be one or two years behind the curve.

What does this mean for the companies? There are specifically-designed custom Android phones available, such as the previously-mentioned Blackphone, which are designed to be resistant to breaches. Indeed, Blackphone was one of the first non-Google phones to be patched against the Stagefright bug.

If budget constraints don’t allow you to arm your workforce with a secure custom phone, then certain companies, such as Zimperium itself, offer mobile device protection software. Zimperium offers a solution that acts like an antivirus suite on a user’s device, while other products rely on “sandboxing.” This technique forces certain apps to run in a virtualized environment, fenced off from the rest of your phone’s operating system. By sandboxing the messaging app, for example, you could download malicious code, but that code wouldn’t be able to find an attack surface to run on, rendering it inert.

In the long run, however, it would be safe to assume that Android is screwed as a viable platform when it comes to security. Barring major changes in the way that carriers patch their Android devices, ordinary users are going to be in for a great deal of pain, and corporation aren’t going to have it much better.