Sun's Mobile Java technology is used by many mobile manufacturers to enable users to download and run applications like mobile Java games and productivity tools.
Adam Gowdiak said: "The vulnerabilities allow [hackers] to completely bypass Java security restrictions and conduct certain malicious actions on a vulnerable device."
Gowdiak said the security hole could be exploited to force the phone to send SMS, MMS and WAP messages, make phone calls and establish internet connections.
The security vulnerability also gives an intruder full access to files stored on a device, including video and audio recording, full phonebook access and SIM card access.
He warned that a hacker could use the security hole to install backdoor code on the device without the user's knowledge, which would run code at operator or manufacturers privileges.
Security Explorations estimates that 1.5 billion devices could be affected, as the vulnerability could affect other devices using the reference implementation of Sun's mobile Java technology (Sun Wireless Toolkit v. 2.5.2).
On the company's website Gowdiak is charging 20,000 euros to see his research. The fee provides access to proof-of-concept code - which can give an intruder full access to the phone's functions - and examples of a backdoor attack.
A self-confessed "experienced Java Virtual Machine hacker," Gowdiak said he had catalogued over 50 security issues uncovered in the Java technology over the last few years. Highlights of his career include being the first person to present successful and widespread attacks against mobile Java platform in 2004.
Nokia did not comment.