- ‘Star Trek’s Jonathan Frakes calls out your lies with this new meme Saturday 3:46 PM
- #JusticeForLucca trends after video shows police slam Black teen’s head into pavement Saturday 3:11 PM
- The internet is shocked to learn that Goombas do, in fact, have arms Saturday 2:02 PM
- PayPal, GoFundMe cut off armed militia that detains migrants at border Saturday 1:16 PM
- Barnwood theft may be on the rise because of ‘Fixer Upper’—and fans aren’t having it Saturday 12:23 PM
- Literary Twitter calls out Dzanc Books for Islamophobic, racist novel Saturday 11:40 AM
- How to watch Crawford vs. Khan online Saturday 10:00 AM
- Beyoncé has 2 more projects coming to Netflix after ‘Homecoming’ Saturday 9:53 AM
- How to watch Danny Garcia vs. Adrian Granados for free Saturday 9:00 AM
- The ‘Feeling Cute Challenge’ turns ugly after correctional officers abuse it Saturday 7:30 AM
- How to watch ‘How High 2’ for free Saturday 7:00 AM
- Swipe This! My ex-BFF keeps sliding into my DMs, but I don’t want to be friends Saturday 6:30 AM
- Watch ‘I Am Somebody’s Child: The Regina Louise Story’ for free Saturday 6:00 AM
- How to watch Barcelona vs. Real Sociedad for free Saturday 6:00 AM
- How to stream UFC Fight Night 149 for free Saturday 5:30 AM
Your Android phone can get hacked just by opening an image
Hackers have a dangerous new loophole.
According to the latest findings of the Google security team, viewing an innocent-looking image on your Android might result in a hacked phone.
In its latest Android Security Bulletin, Google has detailed several critical flaws in its mobile operating system, including three vulnerabilities that have to do with the way Android handles PNG (Portable Network Graphic) files.
According to Google, “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”
What this basically means is that a malicious actor can send you a PNG file that contains secret commands. When you view the PNG image in your phone, the commands will be executed. “Privileged process” means that the malicious code will have access to all the functionalities of your phone. Theoretically, a well-designed attack using the flaw could take over your phone and perform harmful tasks such as installing malware and stealing information.
The vulnerability affects Android OS versions 7.0 (Nougat) to 9.0 (Pie). This flaw is especially dangerous because there’s less sensitivity over media files. Security experts will give you plenty of warnings about not downloading and installing applications from unknown and untrusted sources, but media files such as images, audio, and video files are generally considered harmless.
The good and bad news
We’re still waiting for Google to release more details about the vulnerabilities. But according to the security bulletin, there’s no evidence of active customer exploitation or abuse of the reported issues.
Google has also patched the flaws in an update for its own devices. That’s good news for users who own Google-manufactured Pixel phones. The bad news is for users who have bought devices from other vendors, which usually take a little longer to roll out patches.
Renowned brands such as Samsung and LG usually release updates a few days after Google. But lesser known vendors can take weeks of months.
Not the first time media files have been weaponized
While the latest Android flaw is pretty scary, it’s not the first time the mobile OS has churned out a security flaw that takes advantage of media files.
In 2014, researchers at Fortinet discovered they could encrypt malware inside PNG files and hide them from Google Play’s malware scanner. In a proof-of-concept demonstration, the researchers hid their malware in a simple image-viewing application. When the user opened the malware-infected image, the application retrieved and decrypted the malware from inside the image and installed it on the device.
In 2015, security researchers at Zimperium discovered a vulnerability in Android versions 2.2 and higher, codenamed Stagefright, that enabled hackers to perform remote code execution by sending video files to their victims. Many messaging apps automatically process the video upon receiving it, so the attack could be initiated without the target doing anything. At the time, it was estimated that more than 900 million devices were affected by the vulnerability.
The best way to protect yourself against Android’s latest PNG security flaw is to install updates as soon as your carrier and device manufacturer make them available.
Google also recommends that users restrict their smartphones to only install applications from Google Play and enable Google Play Protect, the feature that enables the Android security team to monitor your phone for malicious apps and activity. Installing applications from third-party markets always trails threats.
While you wait for your security patches, think twice before you tap that next cat photo.
Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.