Opening this image file grants hackers access to your Android phone

Doris Richards
February 10, 2019

Craig Young, computer security researcher for Tripwire Inc.'s Vulnerability and Exposure Research Team, told SiliconANGLE that it appears that the vulnerability is directly related to how Android parses, that is interprets, an image before rendering it. It reveals a new method which can allow hackers to attack Android smartphone by using malicious PNG files.

The Android security bulletin classified the threat as severe, "based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed". The focus here is on a PNG file, because the critical vulnerability can be exploited via a specially crafted PNG file to execute arbitrary code within the context of a privileged process. It isn't hard to imagine why; by exploiting the flaw, a hacker could send harmless-looking PNG files to victims over email, a messaging app, or social media that in reality trigger an Android device to download additional malware.

It isn't the first time security research has shown that PNG files can be rigged for unsafe effect. The good news is that Google has patched the problems with an update to Android.

However, Android manufacturers delay the updates which means that there are still devices that haven't received the fix. One of the vulnerabilities fixed by Google could allow a hacker to seed malware by just sending a photo in PNG format.

The flaw found in Android deals with one of the three vulnerabilities identified in the Android framework and it is one of the most critical security issues for this month's security update. That means it won't be easy for anyone to discover the hacking method.

Although there are no reports of users being actively targeted in the wild via this vulnerability, this could change as the window for individual ecosystem vendors to issue patches can run into several weeks or even months.

Other reports by Iphone Fresh

Discuss This Article