The vulnerability affects devices running Gingerbread, Ice Cream Sandwich, and Jelly Bean versions of the Android operating system, Slash Gear reported Friday.
The vulnerability would allow a downloaded app infected with malware to make it appear the phone is receive tests messages from someone on the phone user's contact list.
Such fake messages can be used to try and obtain personal information such as passwords or bank and credit card information, the researchers said.
The researchers say they've notified Google of the vulnerability, with the company saying a fix would be issued "in a future Android release."
Until then, the researchers recommend extreme caution when downloading and installing apps, especially from unknown sources.
Also, they said, users should be alert about text messages and confirm they're actually from someone they know, rather than a scam attempting to steal personal information.