Home Cyber Attack Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File

by Abeerah Hashim
png image bug android

Sharing landscape pictures, cute animal photos or memes is quite common among smartphone users. That’s why images serve as one of the most robust pathways for attackers to spread malware. Google has recently warned Android users of a .PNG image bug that could allow an attacker execute malicious code on the victim’s device.

Critical .PNG Image Bug Threatened Android Users

As revealed in Google’s recent Android Security Bulletin, a .PNG image bug potentially put a vast majority of Android users at risk. The bug could potentially allow an attacker to take control of the device by elevating privileges. Exploiting the vulnerability merely requires an attacker to send a maliciously crafted .PNG image file to the victim’s device.

According to Google, the vulnerability mainly existed in the Android framework. As described,

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”

Google has allegedly identified this flaw as three different vulnerabilities targeting Android versions 7.0 to 9. Precisely, the flaws include CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988 which Google has patched in Android version 9, versions 7.0 to 9, and versions 8.0, 8.1, 9, respectively.

For now, Google confirmed that they found no evidence of exploits in the wild. However, given the ease of exploiting the flaw, Google hasn’t revealed any technical information as of yet.

Numerous Other Security Flaws Also Patched

In addition to the PNG image vulnerability, Google also fixed numerous security flaws in Android Library, system, Kernel components, and NVIDIA components. These flaws could result in remote code execution, elevation of privileges, and information disclosure.

Google has released the patches in two different security patch levels, for which it states,

“This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly.”

Android users should ensure they update their devices to the latest versions to secure ones-self from potential exploits.

You may also like