Google tracks the vulnerabilities as CVE-2015-3876 and CVE-2015-6602. It shared patches for them with OEM partners on Sept. 10, together with all fixes that will be included in the October security update.
The earlier Stagefright flaws prompted researchers to probe Android's multimedia processing libraries for additional vulnerabilities. Researchers from antivirus vendor Trend Micro have since found and reported multiple issues in these components.
"As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area," the Zimperium researchers said in their report. "Many researchers in the community have said Google replied to bugs they reported saying they were duplicate or already discovered internally."
Zimperium plans to update its free Stagefright Detector app with detection for the flaws once the patches become available.
Sign up for CIO Asia eNewsletters.