Vulnerability allows hacking an Android smartphone using only a PNG image

Google claims that this vulnerability has not yet been exploited in the wild

Ethical hacking and network security specialists from the International Institute of Cyber Security recommend smartphone with Android operating system users to be cautious when opening or downloading images on their devices because, oddly enough, this could compromise users’ security.

According to recent reports, just by looking at a seemingly harmless image a smartphone with Android OS could be hacked, this due to three recently discovered critical vulnerabilities. These flaws are present in millions of devices that work with that operating system, from the Android versions Nougat 7.0 to the latest Android 9.0 Pie.

Vulnerabilities, tracked as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, were patched by Android Open Source Project as part of their security updates for February 2019, report network security specialists. 

The problem is that not all smartphone manufacturers launch their security updates on a monthly basis, so mitigation for these vulnerabilities will not be available to all Android devices at the same time.

Google’s network security team has not revealed further technical details about the exploitation of these vulnerabilities, although the updates available to the operating system mention repairing some bugs like “buffering overflow”, ”SkpPngCodec errors”, and some more flaws in various components that render PNG format images.

Reports indicate that one of the three reported vulnerabilities could allow a specially crafted PNG image to execute arbitrary code on a compromised device. Of the three vulnerabilities found, this is the most severe, according to Google’s security teams.

A malicious actor could exploit this vulnerability if they manage to deceive users to open or download the malicious PNG file on their devices (it is impossible for the user to detect the payload in this image at the naked eye). The image can reach the user through an instant messaging service, as an attachment in an email, or it can be downloaded from any webpage.   

In February updates, Google also included fixes for 42 vulnerabilities in the Android OS in total; 11 considered critical, 30 high impact and one medium-gravity. The company stresses that there is no evidence that any of these vulnerabilities have been exploited in the wild.

Finally, the company claims that it had already notified its partners working with Android on the vulnerabilities weeks before the publication of these reports, and added that the source code of these fixes will be published shortly in Android Open Source Project repository.