A vulnerability in Samsung’s Android keyboard installed on over 600m devices worldwide could allow hackers to take full control of the smartphone or tablet, The Guardian reports.

The security bug revolves around the update mechanism of the built-in keyboard, which looks for language updates for trending phrases either daily or weekly.

“The keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root,” said researcher Ryan Welton from security company NowSecure who discovered the hole.

The problem was discovered last year. NowSecure told Samsung about the bug in December. Samsung asked NowSecure to keep the discovery under wraps until it could patch the problem. Google’s Android security team was also notified.

However, six months on it is unclear whether the patch is out. Samsung started that process in early 2015, but unlike Apple’s direct model of software updates, is beholden to mobile phone providers to push out updates to their users.

It is unclear whether that has happened and on what scale users have updated their devices.