Google has fixed seven security vulnerabilities in Android, two of which it rated "critical."
The search and mobile giant said earlier this year it will release monthly security patches to ensure devices are protected against the latest security flaws.
Of the highest-rated vulnerabilities in its fourth monthly release so far, Google said the most severe flaw (CVE-2015-6608) could allow an attacker to remotely-execute code (like malware) triggered by playing a specially-crafted media file on an affected device.
It's rated "critical" because the vulnerability targets a core part of the Android software, which has access to permissions that third-party apps cannot normally access, the advisory said.
The good news is that the flaw -- discovered by Google's own security teams -- was not being actively exploited by attackers.
The other relates to another critical flaw (CVE-2015-6609), which affects all versions of Android (including the latest "Marshmallow"). An attacker could get access to the device and run malware by sending a specially-crafted audio file.
Of the other "moderate" flaws, Google will also patch an escalation-of-privilege vulnerability that allows an attacker to spoof phone numbers, launch denial-of-service attacks, and data spoofing.
As we reported last month, Korean academics were able to trick affected Android devices quietly make phone calls without the user's knowledge. That could be used to generate money on premium lines, over-billing, as well carrying out targeted eavesdropping.
Google said this flaw only affected Android "Lollipop" users.
Although Nexus devices will get the security updates first, other Android manufacturers -- notably Samsung and LG -- said they would step-up and offer patches monthly.
HTC, however, remains the outlier, calling monthly security patches "unrealistic."