Android Bug Lets Hackers Attack a Phone Using Only an Image File

Joanna Estrada
February 10, 2019

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a.PNG format, your Android device could be critically compromised due to a new attack.

The Android security bulletin classified the threat as severe, "based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed".

"Vulnerabilities like these bring to light the disparate update strategies across Android phones", explained Tripwire VP, Tim Erlin. So you won't be protected until your Android handset receives the 2019 February update.

Since Google hasn't released the technical details of the flaw, so it won't be easy for anyone to abuse this hacking method. It is suggested that one should patch their Android smartphone as soon as a security update available from the handset manufacturer. To simply put it, opening the infected PNG file will activate the exploit and could open the floodgates for downloading malware on the device.

A major flaw in Android's framework allows an attacker to execute computer code remotely by using a maliciously crafted PNG image file to smuggle the code.

The vulnerability was disclosed by Google but the company confirms that they have already released a patch to the Android Open Source Project (AOSP) repository.

The critical vulnerability has been spotted in three forms (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) and affects Android smartphones running Android 7.0 or a higher build going all the way up to Android Pie.

Google has said that it has no reports of anyone exploiting the vulnerabilities listed in its February security bulletin against real users or in the wild.

While Pixel users have received an update to patch the critical vulnerability, other smartphone makers are yet to release an update to address the issue on their offerings.

Other reports by Click Lancashire

Discuss This Article