X
Tech

Opening this image file grants hackers access to your Android phone

Be careful if you are sent an image from a suspicious source.
Written by Charlie Osborne, Contributing Writer

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.

In Google's Android security update for February, the tech giant's advisory noted a critical vulnerability which exists in the Android operating system's framework.

All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim's device. Should the user open the file, the exploit is triggered.

Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google. 

Android versions 7.0 to 9.0 are impacted.

CNET: Lawmakers have questions for Apple about FaceTime eavesdropping bug

The vulnerability was one of three bugs impacting Android Framework -- CVE-2019-1986,  CVE-2019-1987, and CVE-2019-1988 -- and is the most severe security issue in the February update.

There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.

As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.

TechRepublic: Attention developers: Google wants to pay you $15,000 to improve cloud security

Google's bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.  

Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.

See also: Firefox to get a 'site isolation' feature, similar to Chrome

In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards