One of the new exploits reportedly affects every device from version 1.0, which was released in 2008, and the other impacts devices running 5.0 and above.
The attack — dubbed Stagefright 2.0 — is related to the processing of metadata within a MP3 or MP4 video file. Previewing a specially crafted song or video would execute the exploit, which would allow an attacker to execute remote code.
It also affects third-party apps, as the bug is found within the libstagefright library leveraged by some media players. The exploit has not been spotted in the wild at time of writing.
There is no proof-of-concept code for the bug as it is still unpatched, but the company will update its Stagefright detection app once a fix is released.
The researchers reported the bug to Google on August 15th, which plans to release a patch in the next Nexus Security Bulletin scheduled for the second week of October.
Phone manufacturers like Xiaomi, Samsung, HTC and Sony will also need to release the update themselves, but haven’t yet commented on what their plans will be.
Unfortunately for older devices that no longer receive updates, it’s likely this security flaw will ever be patched, leaving them susceptible to it until they manually flash a new version of Android.
An attack like this in the wild on the internet could be catastrophic, as it only requires the user to visit a URL containing the malicious file, which could be executed on download within a song that appears legitimate.