PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone

Most people will get pictures of cute animals and other funny memes sent to them throughout the day. In many cases, they are no more than harmless fun, but sometimes, there can be a hidden danger within these photos. If the photo in question happens to be in PNG image file format, then your Android device could be at risk from attack.

Android Security Update

There was an advisory note in the February Android Security Update from Google. The advisory mentioned a critical vulnerability which exists in the Android operating system’s framework.

To trigger this flaw, all that’s needed is for an attacker to send the user a crafted PNG or Portable Network Graphic file. If the user then opens this file, the exploit is triggered. Hackers are then able to execute code in the context of a privileged process. This vulnerability is thought to affect Android version 7.0 and 9.0.

Three Bugs Found

This new vulnerability is one of three bugs that impact the Android Framework: CVE-2019-1986, CVE-2019-1987 and CVE-2019-1988. These bugs are the most serious issue in the February update.

It isn’t thought that the PNG Image file vulnerability has been exploited yet, however, as this bug can be easily deployed, users have been advised to accept all new Android updates.

The details of the exploit haven’t been given by Google, to help reduce the risk of attack. It is also because companies using the Android system, roll out security patches at different times.

Other Image Bugs

Researchers have previously found other bugs linked to images. In January, they discovered a new malvertising group called VeryMal. These scammers target Apple users and add malicious code in digital images using steganography techniques.

This malicious code redirects users from legitimate websites to malicious domains controlled by the attackers.

If there is any doubt as to the source of a PNG image file, then it is always best practice not to open it.

 

 

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients