- The ’24 hours to respond’ meme holds celebrities to a higher standard Monday 8:46 PM
- Twitter users miss the kids who walked in on their dad’s interview Monday 8:40 PM
- ‘The Thing About Men’ Twitter hashtag is full of sarcasm and misogyny Monday 7:27 PM
- This woman said Hillary Clinton losing the 2016 election gave her PTSD, and people are furious Monday 6:45 PM
- Vanessa Bryant files a lawsuit against helicopter company after deaths of Kobe and Gianna Monday 5:49 PM
- Michael Jordan cries at Kobe Bryant memorial, jokes about creating a new meme Monday 4:43 PM
- Woman’s boyfriend says it’s him or the frogs—Reddit says choose the frogs Monday 4:22 PM
- Greyhound buses will no longer allow Border Patrol checks Monday 4:04 PM
- ‘Eat Them To Defeat Them’ is oddly about vegetables—not about eating the rich Monday 3:26 PM
- Marco Rubio mocked for filming talking while driving socialism critique Monday 2:54 PM
- QAnon believer asks Trump’s campaign press secretary who Q is Monday 2:36 PM
- Octavia Spencer has discovered ‘Ma’ memes—and she can’t get enough Monday 2:09 PM
- Meet the anti-Greta Thunberg, a climate ‘skeptic’ funded by the oil industry Monday 1:12 PM
- Harvey Weinstein convicted of rape and sexual assault Monday 12:56 PM
- Senator calls Facebook’s current election disinformation efforts ‘inadequate’ in letter Monday 12:11 PM
According to the latest findings of the Google security team, viewing an innocent-looking image on your Android might result in a hacked phone.
In its latest Android Security Bulletin, Google has detailed several critical flaws in its mobile operating system, including three vulnerabilities that have to do with the way Android handles PNG (Portable Network Graphic) files.
According to Google, “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”
What this basically means is that a malicious actor can send you a PNG file that contains secret commands. When you view the PNG image in your phone, the commands will be executed. “Privileged process” means that the malicious code will have access to all the functionalities of your phone. Theoretically, a well-designed attack using the flaw could take over your phone and perform harmful tasks such as installing malware and stealing information.
The vulnerability affects Android OS versions 7.0 (Nougat) to 9.0 (Pie). This flaw is especially dangerous because there’s less sensitivity over media files. Security experts will give you plenty of warnings about not downloading and installing applications from unknown and untrusted sources, but media files such as images, audio, and video files are generally considered harmless.
The good and bad news
We’re still waiting for Google to release more details about the vulnerabilities. But according to the security bulletin, there’s no evidence of active customer exploitation or abuse of the reported issues.
Google has also patched the flaws in an update for its own devices. That’s good news for users who own Google-manufactured Pixel phones. The bad news is for users who have bought devices from other vendors, which usually take a little longer to roll out patches.
Renowned brands such as Samsung and LG usually release updates a few days after Google. But lesser known vendors can take weeks of months.
Not the first time media files have been weaponized
While the latest Android flaw is pretty scary, it’s not the first time the mobile OS has churned out a security flaw that takes advantage of media files.
In 2014, researchers at Fortinet discovered they could encrypt malware inside PNG files and hide them from Google Play’s malware scanner. In a proof-of-concept demonstration, the researchers hid their malware in a simple image-viewing application. When the user opened the malware-infected image, the application retrieved and decrypted the malware from inside the image and installed it on the device.
In 2015, security researchers at Zimperium discovered a vulnerability in Android versions 2.2 and higher, codenamed Stagefright, that enabled hackers to perform remote code execution by sending video files to their victims. Many messaging apps automatically process the video upon receiving it, so the attack could be initiated without the target doing anything. At the time, it was estimated that more than 900 million devices were affected by the vulnerability.
The best way to protect yourself against Android’s latest PNG security flaw is to install updates as soon as your carrier and device manufacturer make them available.
Google also recommends that users restrict their smartphones to only install applications from Google Play and enable Google Play Protect, the feature that enables the Android security team to monitor your phone for malicious apps and activity. Installing applications from third-party markets always trails threats.
While you wait for your security patches, think twice before you tap that next cat photo.
Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.