In July, a bug in Android's media playback system called Stagefright, which only needed to send a specially crafted text message to the victim's phone in order to remotely execute code, left nearly a billion devices vulnerable to hackers.

Even though Google promptly issued a patch for that particular vulnerability, the security research company that found the original bug, Zimperium, has now found two new vulnerabilities in Stagefright, enabling hackers to take over an Android device by sending the victim a specially crafted multimedia file.

The new exploits are based on the way Android handles MP3 audio and MP4 video files. One vulnerability, in the libutils library, impacts "almost every Android device since version 1.0," according to Zimperium, but devices are only at risk if a third party app or a vendor-installed app is using the vulnerable function. The other, in libstagefright library, can be used to trigger the first one in newer devices, running Android 5.0 and up.

Joshua Drake, a researcher at Zimperium zLabs, told Motherboard:“All Android devices without the yet-to-be-released patch contain this latent issue.”

In practice, this means an attacker can remotely execute code on a victim's device by sending them a malicious MP3 or MP4 file.

Unlike the original Stagefright exploit, which required sending a text message, an attacker is now more likely to try and lure the victim onto a web site, which contains the malicious multimedia file. The bad part is that the victim doesn't even have to open the file.

"The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue," Zimperium wrote in a blog post.

Though Google has acknowledged the issue, a patch is still not available. Worse, even after Google releases it, it might take some time for Android phone manufacturers to implement it, as it did with the original Stagefright bug.

The best course of action for users right now is to avoid opening multimedia files and links from unknown sources.