A set of two new vulnerabilities, dubbed Stagefright 2.0, could allow an attacker to exploit a weakness in how Android processes audio (MP3) and video (MP4) files, which can be used to install malware.
The scope of the flaw isn't thought as wide as the first Stagefright vulnerability. The second flaw affects devices mostly running Android 5.0 "Lollipop" and later. The researchers said in a blog post that some Android phones running an older components may also "be impacted."
It's the second-such attack on the popular mobile operating system's media library this year.
Stagefright is named after Android's media component, which comes with basic playback software for audio and video. Security researcher Joshua Drake, who discovered the flaw, called it among the "worst Android vulnerabilities discovered to date."
Sending a poisoned multimedia text message (MMS) can allow a hacker to deliver malware to a device. In most cases, it requires the Android device owner to open the video. In some cases just receiving an affected message can leave a device vulnerable.
Because the MMS feature has been removed in newer versions of Android's messaging app (and other apps) in an effort to mitigate an attack, the new flaw would most "likely" be through the browser, according to the blog post.
"An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site," such as through a malicious phishing campaign, said the blog post.
Google will reportedly patch the flaw in its upcoming Nexus Security Bulletin on October 5 -- as per a company spokesperson -- for its own-branded Nexus phones and tablets.
A spokesperson added in an emailed statement that the fix was sent to its carriers and partners and "have been working with them to help roll it out as soon as possible."
Need to lock down your phone? These security apps are some of the best