Sorry, Android users: News about the Stagefright vulnerability isn’t getting any better. Motherboard’s Lorenzo Franceschi-Bicchierai brings us word that Joshua Drake, a researcher at Zimperium zLabs, has found a new Stagefright vulnerability that lets hackers break into your phone just by tricking you into visiting a website that contains a compromised MP3 or MP4 file. And just like the first Stagefright vulnerabilities uncovered, this new one affects almost every Android device now in use around the world.

DON’T MISS: How someone acquired the domain name for a single minute

“I cannot tell you that all of the phones are vulnerable, but most of them are,” Drake explained to Motherboard. “All Android devices without the yet-to-be-released patch contain this latent issue.”

And sadly, there’s no guarantee that your phone will get this patch in a timely fashion given how fragmented the Android upgrade process is.

How does this vulnerability work? Basically hackers have to trick you into opening a webpage with a malicious MP3 or MP4 file on it — and you don’t even have to download the file to be affected by it, as just previewing the malicious audio or video file is enough to give the hacker access to your device.

To learn more about this major vulnerability, check out Motherboard’s full report here.

Prior to joining BGR as News Editor, Brad Reed spent five years covering the wireless industry for Network World. His first smartphone was a BlackBerry but he has since become a loyal Android user.