Google’s Android team will be feeling under the weather this week with another major security flaw being discovered on the operating system.

The gaping security hole is dubbed “Stagefright 2.0,” the successor to the original Stagefright vulnerability discovered back in August, and affects more than one billion Android devices, pretty much every single Android powered device in circulation.

Joshua Drake, a researcher at Zimperium zLabs discovered the security issue, saying that Stagefright 2.0 consists of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files.

The main vulnerability which affects most Android devices allows bad actors to target users through an infected mp3 or mp4 file; the vulnerability lies in the processing of metadata within the files, so it’s not even a matter of fully playing a video but merely previewing the song or video to trigger the issue.

According to Drake, the primary attack vendor for  an attack would be via a web browser, where an attacker would try to convince a potential target to visit a URL pointing at an attacker controlled Web site; the attacker could inject the exploit using common traffic interception techniques (MITM) through unencrypted network traffic destined for the browser.

“I cannot tell you that all of the phones are vulnerable, but most of them are,” Drake told Motherboard. “All Android devices without the yet-to-be-released patch contain this latent issue.”

Google assigned CVE-2015-6602 to vulnerability and said that a patch for these new vulnerabilities will be rolled out to users of its Nexus phones on October 5

Holes

Operating systems have discovered vulnerabilities from time to time, so there’s nothing new here, but the problem, when it occurs on Android devices, is that it relies on handset makers and/ or telcos to push out patches to users; there is no centralized way to update Android phones, and this leaves more and more people vulnerable when holes like this are discovered.

That said, if you use an Android phone there is no need to panic: there’s no strong evidence that Stagefright 1.0 has ever been taken advantage of, and the same may occur with this new vulnerability, and even then you’d have to be seriously unlucky to be trapped by it.

Image credit: comedynose/Flickr/CC by 2.0