All Android phones are vulnerable to a huge hack that could allow people to take over phones if people just watch one booby-trapped video.

The flaw, dubbed Stagefright 2 by the team that found it, follows a similar bug earlier this year that also hit all of the billion Android devices in use. It exploits a weakness in one of the pieces of code in the operating system, which can allow hackers access to the device.

In the wake of the first bug, Stagefright, many rushed out changes to their security systems intended to stop similar attacks in the future. But the relevant code still hasn’t been properly patched, according to the researchers.

To be hit by it, all attackers need to do is lure someone into opening a URL, which would appear innocent to the user. They could then open the video or audio file — and since the flaw can be exploited using the metadata that comes with that file, they wouldn’t need to do anything more.

The team that found the hack, Zimperium, is the same that identified the first Stagefright vulnerability. It is likely to be fixed in an update last week.

But even if a fix is pushed out, users’ phones may not receive the update straight away. Because of the way Android updates are delivered, phone companies must first approve them — a process which can take weeks.

Zimperium said that it would not be publicly releasing any details on the flaw until it was patched by Google. It cannot even update its tool to check whether phones are vulnerable to the problem it said, so it’s not possible to be sure how many have been hit by it.

The team noted that the original hack had been “a catalyst for change”. “Following our initial Stagefright announcement, industry-leading vendors made a clear statement that security updates will be provided on a monthly basis,” the team wrote.