According to the latest findings of the Google security team, viewing an innocent-looking image on your Android might result in a hacked phone.
In its latest Android Security Bulletin, Google has detailed several critical flaws in its mobile operating system, including three vulnerabilities that have to do with the way Android handles PNG (Portable Network Graphic) files.
According to Google, “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”
What this basically means is that a malicious actor can send you a PNG file that contains secret commands. When you view the PNG image in your phone, the commands will be executed. “Privileged process” means that the malicious code will have access to all the functionalities of your phone. Theoretically, a well-designed attack using the flaw could take over your phone and perform harmful tasks such as installing malware and stealing information.
The vulnerability affects Android OS versions 7.0 (Nougat) to 9.0 (Pie). This flaw is especially dangerous because there’s less sensitivity over media files. Security experts will give you plenty of warnings about not downloading and installing applications from unknown and untrusted sources, but media files such as images, audio, and video files are generally considered harmless.
The good and bad news
We’re still waiting for Google to release more details about the vulnerabilities. But according to the security bulletin, there’s no evidence of active customer exploitation or abuse of the reported issues.
Google has also patched the flaws in an update for its own devices. That’s good news for users who own Google-manufactured Pixel phones. The bad news is for users who have bought devices from other vendors, which usually take a little longer to roll out patches.
Renowned brands such as Samsung and LG usually release updates a few days after Google. But lesser known vendors can take weeks of months.
Not the first time media files have been weaponized
While the latest Android flaw is pretty scary, it’s not the first time the mobile OS has churned out a security flaw that takes advantage of media files.
In 2014, researchers at Fortinet discovered they could encrypt malware inside PNG files and hide them from Google Play’s malware scanner. In a proof-of-concept demonstration, the researchers hid their malware in a simple image-viewing application. When the user opened the malware-infected image, the application retrieved and decrypted the malware from inside the image and installed it on the device.
In 2015, security researchers at Zimperium discovered a vulnerability in Android versions 2.2 and higher, codenamed Stagefright, that enabled hackers to perform remote code execution by sending video files to their victims. Many messaging apps automatically process the video upon receiving it, so the attack could be initiated without the target doing anything. At the time, it was estimated that more than 900 million devices were affected by the vulnerability.
The best way to protect yourself against Android’s latest PNG security flaw is to install updates as soon as your carrier and device manufacturer make them available.
Google also recommends that users restrict their smartphones to only install applications from Google Play and enable Google Play Protect, the feature that enables the Android security team to monitor your phone for malicious apps and activity. Installing applications from third-party markets always trails threats.
While you wait for your security patches, think twice before you tap that next cat photo.