The newly released bugs are part of the Stagefright family of vulnerabilities, disclosed by Zimperium Zlabs.
Stagefright was first disclosed in April, with a demonstration that allowed for infection via SMS. The two new Stagefright vulns expand the range of affected devices to all versions of Android since 2008's version 1.0, and spread via MP3s and MP4s.
Google was informed of the bugs on August 15, but has not yet released a patch. They say a patch will come on Oct 5.
Android has been fragmented by phone hardware makers and carriers, who've been eager to put their own stamp on the OS, and in some cases, to restrict functionality such as tethering. As a result, the patch (when it ships) will take a long time to reach all affected devices — in many cases, it won't even be available until the carrier/vendor gets around to pushing it out.
Many countries have "anti-circumvention" laws on the books, put there at the insistence of the US Trade Representative, that makes jailbreaking your phone illegal. For people whose vendors don't patch this bug (or patch it late), the only way to secure their handsets will be to jailbreak them and install an OS that bypasses the vendor, breaking the law.
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google's Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
New Stagefright Bugs Leave More Than 1 Billion Android Users Vulnerable