Google released a bunch of Android patches today, covering off some previously-disclosed issues including the worrying Quadrooter bugs that affected 900 million phones. But another, previously-unknown critical weakness has been covered too and you’ll want to download the patch now because the hack can be delivered hidden inside an innocuous-looking photo in a social media or chat app. A victim wouldn’t even have to click on the evil photo: as soon as its data was parsed by the phone, it’d quietly let a remote hacker take over the device or simply brick it.
The problem, according to the researcher who uncovered the vulnerability, resided in the way images used by certain Android apps parsed the Exif data in an image. Any app using a slice of Android code – the Java object ExifInterface – is likely vulnerable, said Tim Strazzere, from security firm SentinelOne.
Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.
The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere said. That’s not dissimilar to how theStagefright exploits of last year ran.
“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” The researcher wouldn’t reveal the names of the other, non-Google apps affected, other than to say they included “privacy-sensitive” tools.
Prior to the today’s update that provides patches for all versions of Google’s operating system from 4.4.4 up, older Android devices would have been in greater danger of an image-based hack. “Most of the newer mitigations in place made it quite difficult for me to get a stage working exploit that could work on multiple devices,” Strazzere said. “With this said, it was incredibly easy to cause the phone to become unusable (due to the mitigations) and go into endless reboots. There were even a few phones that somehow go bricked in this process, all from just receiving the corrupted image over Gmail.”
Another warning: Strazzere successfully tested his exploits on phones stretching back to a handful of Android 4.2 and Amazon devices. They may well remain unpatched, leaving users exposed. As Strazzere told me, if you’re not running an up-to-date operating system and/or device, it’s probably time to invest if worried about security.
Google gave Strazzere $4,000 as part of its Android bug bounty and added another $4,000, as the researcher had pledged to give all $8,000 to Girls Garage, a building program and workspace for girls aged 9-13.
Android manufacturing partners were advised about Strazzere’s find – and the scores of other vulnerabilities detailed today – on 5 August or before. If concerned, check with your device maker to see when an update is on the way. Google Nexus phones running Android 4.4.4 and above should receive an over-the-air update today.