Google fixes PNG security bug that let hackers attack Android phones
Earlier this month, Google started rolling out a fresh security patch for its Android operating system. Apart from host of other flaws, the February security patch for Android also fixed a key vulnerability that allowed malicious hackers to use an image to attack Android phones.
The security vulnerability essentially allowed hackers to hide a malicious code in an image saved in the PNG file format. Then when the infected image was downloaded on to an Android device, it executed the hidden code and allowed the hackers to get privileged access to the infected Android smartphone. For simplicity, an infected meme or an image saved in the PNG file format that your friends share with you could leave you vulnerable.
The critical security vulnerability, as Google notes, exists in Android’s Framework and “it could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”
The vulnerability affects Android 7.0 Nougat and other higher versions of the Android OS, including Android 9.0 Pie, and it impact three of Android’s Frameworks including CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988.
Google has already released the security update to fix the vulnerability. It had also notified all its partners and released the code patches to the Android Open Source Project (AOSP) repository.
However, despite the proactive measures to fix the flaw, millions of Android devices are still vulnerable to the hack. The reason for this simple. The security patch that Google has released will fix issues in a handful of devices including Google’s own Pixel smartphones, the Pixel C tablet, and the Essential smartphone. That still leaves millions of Android smartphones vulnerable to the attack as it will take smartphone makers to adapt the patch as per their own user interface and roll out the update on to their devices.
However, the scenario is not all grim. The Mountain View, California based company said that so far it has heard no reports where the vulnerability had been used to target Android users. “We have had no reports of active customer exploitation or abuse of these newly reported issues,” Google said in its Android Security Bulletin for the month of February 2019. Additionally, the company, according to a report by ZDNet, has declined to share the technical details of the hack in order to mitigate the risk of the attack.
In case you don’t own a Pixel smartphone, the best way to stay clear of the hack is by not downloading PNG images from unknown or unreliable sources.