- ‘Fake plane challenge’ takes off on TikTok Monday 8:15 PM
- Video meme of a mom dancing with her kids goes viral—again Monday 7:26 PM
- ‘Due to personal reasons’ meme enables questionable behavior Monday 3:36 PM
- Why do white rappers write lyrics about being good hypothetical dads? Monday 3:29 PM
- Roger Stone posts, then deletes, Instagram of his judge with small crosshairs next to her Monday 2:32 PM
- People are Googling Rihanna and their birthday in a Twitter challenge Monday 2:13 PM
- Here are all of the Fortnite earthquake cracks thus far Monday 1:21 PM
- New Apex Legends characters leaked by data miners Monday 12:36 PM
- Ken Jeong falls back on crude humor and lazy stereotypes in ‘You Complete Me, Ho’ Monday 12:24 PM
- 14 artsy cartoon mugs that’ll help make your days more creative Monday 12:15 PM
- Netflix cancels ‘Jessica Jones’ and ‘The Punisher’ Monday 11:26 AM
- YouTube is fueling the rise in flat earth believers Monday 11:04 AM
- Review: Crackdown 3 is not a world worth saving Monday 11:00 AM
- Scathing privacy report calls Facebook a ‘digital gangster’ Monday 10:50 AM
- 21 Savage goes deep on 21 Savage memes Monday 10:49 AM
Your Android phone can get hacked just by opening an image
Hackers have a dangerous new loophole.
According to the latest findings of the Google security team, viewing an innocent-looking image on your Android might result in a hacked phone.
In its latest Android Security Bulletin, Google has detailed several critical flaws in its mobile operating system, including three vulnerabilities that have to do with the way Android handles PNG (Portable Network Graphic) files.
According to Google, “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”
What this basically means is that a malicious actor can send you a PNG file that contains secret commands. When you view the PNG image in your phone, the commands will be executed. “Privileged process” means that the malicious code will have access to all the functionalities of your phone. Theoretically, a well-designed attack using the flaw could take over your phone and perform harmful tasks such as installing malware and stealing information.
The vulnerability affects Android OS versions 7.0 (Nougat) to 9.0 (Pie). This flaw is especially dangerous because there’s less sensitivity over media files. Security experts will give you plenty of warnings about not downloading and installing applications from unknown and untrusted sources, but media files such as images, audio, and video files are generally considered harmless.
The good and bad news
We’re still waiting for Google to release more details about the vulnerabilities. But according to the security bulletin, there’s no evidence of active customer exploitation or abuse of the reported issues.
Google has also patched the flaws in an update for its own devices. That’s good news for users who own Google-manufactured Pixel phones. The bad news is for users who have bought devices from other vendors, which usually take a little longer to roll out patches.
Renowned brands such as Samsung and LG usually release updates a few days after Google. But lesser known vendors can take weeks of months.
Not the first time media files have been weaponized
While the latest Android flaw is pretty scary, it’s not the first time the mobile OS has churned out a security flaw that takes advantage of media files.
In 2014, researchers at Fortinet discovered they could encrypt malware inside PNG files and hide them from Google Play’s malware scanner. In a proof-of-concept demonstration, the researchers hid their malware in a simple image-viewing application. When the user opened the malware-infected image, the application retrieved and decrypted the malware from inside the image and installed it on the device.
In 2015, security researchers at Zimperium discovered a vulnerability in Android versions 2.2 and higher, codenamed Stagefright, that enabled hackers to perform remote code execution by sending video files to their victims. Many messaging apps automatically process the video upon receiving it, so the attack could be initiated without the target doing anything. At the time, it was estimated that more than 900 million devices were affected by the vulnerability.
The best way to protect yourself against Android’s latest PNG security flaw is to install updates as soon as your carrier and device manufacturer make them available.
Google also recommends that users restrict their smartphones to only install applications from Google Play and enable Google Play Protect, the feature that enables the Android security team to monitor your phone for malicious apps and activity. Installing applications from third-party markets always trails threats.
While you wait for your security patches, think twice before you tap that next cat photo.
Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.