It's the one thing that Google just can't seem to fix.
The search and mobile giant on Monday released its monthly round of Android security fixes, with one persistent flaw at the top of the list: a "critical" security vulnerability in mediaserver, a part of Android that finds and indexes media files stored on the device.
But the company declined to offer any further details on what the flaws were.
According to the bulletin, the two flaws "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," though the flaw is mitigated slightly because Google Hangouts and Messenger apps can't trigger the flaw.
In other words, an attacker can run malware on a device by exploiting the mediaserver, because the service has access to privileged parts of the device which other apps don't have.
Alibaba security researcher Weichao Sun was credited with the discovering the flaw.
All Nexus devices are vulnerable to the two flaws, and other devices that are running Android KitKat (4.4.4) and later, said the bulletin.
The Android software and phone maker also fixed five more critical bugs in the mobile operating system.
One of the flaws could allow a malicious app to execute code in the Android debugger, which would require the user to wipe and reflash their device.
And, like last month, the company also fixed two "critical" flaws affecting devices with Qualcomm hardware which if exploited could result in a "permanent device compromise," said Google, which would also require the device to be wiped and reflashed.
Nexus users can update from Android's settings menu. Other device manufacturers tend to follow in the coming days.
For privacy and security, change these Android settings right now