/>
X

Opening this image file grants hackers access to your Android phone

Be careful if you are sent an image from a suspicious source.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.

In Google's Android security update for February, the tech giant's advisory noted a critical vulnerability which exists in the Android operating system's framework.

All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim's device. Should the user open the file, the exploit is triggered.

Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google. 

Android versions 7.0 to 9.0 are impacted.

CNET: Lawmakers have questions for Apple about FaceTime eavesdropping bug

The vulnerability was one of three bugs impacting Android Framework -- CVE-2019-1986,  CVE-2019-1987, and CVE-2019-1988 -- and is the most severe security issue in the February update.

There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.

As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.

TechRepublic: Attention developers: Google wants to pay you $15,000 to improve cloud security

Google's bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.  

Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.

See also: Firefox to get a 'site isolation' feature, similar to Chrome

In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Related

How to install Android apps on your Chromebook
The Chrome OS system tray popup.

How to install Android apps on your Chromebook

Productivity
At Open Source Summit, Linus Torvalds hosts another fireside chat
Linus Torvalds and Dirk Hohndel Open Source Summit NA 2022

At Open Source Summit, Linus Torvalds hosts another fireside chat

Enterprise Software
Time to update: Google patches seven Chrome browser bugs, four rated 'high' risk
gettyimages-a-man-looking-concerned-and-worried-at-his-laptop-while-sitting-in-an-office

Time to update: Google patches seven Chrome browser bugs, four rated 'high' risk

Security