Stagefright is quickly becoming the bug that wouldn’t die. First discovered in July, the vulnerability allowed attackers to target Android phones over text or MMS, exploiting a weakness in Android’s multimedia preview function.
Google, manufacturers and carriers scrambled to patch the bug, only to have another bug pop up two weeks later, requiring another round of patches. Now, three months after the initial disclosure, it’s all happening again.
Zimperium security a new way to exploit Stagefright that isn’t covered by existing patches, first reported by Motherboard. The new vulnerability works by encoding a malicious program into an audio file, delivered over mp3 or mp4. Once a user previews the file or visits a page where that file is embedded, Android’s audio preview will activate the program, infecting the device.
This article originally appeared on Recode.net.