What’s the harm in opening a digital image? Well, Google has uncovered a new method to hack Android smartphones using malicious PNG files.
The problem was disclosed this week in Google’s Android security bulletin. A serious flaw in the operating system’s framework can let a remote attacker execute computer code on an Android device by using a “specially crafted PNG file,” the notice said.
The bulletin is deliberately vague on details, but Google said the issue was the most critical security vulnerability to be addressed on the list. It isn’t hard to imagine why; by exploiting the flaw, a hacker could send harmless-looking PNG files to victims over email, a messaging app, or social media that in reality trigger an Android device to download additional malware.
It isn’t the first time security research has shown that PNG files can be rigged for dangerous effect. Experts have demonstrated that you can encrypt Android malware inside images as a way to evade antivirus software. A separate app can then read the image file and decrypt it to launch the hidden computer code inside.
The flaw found in Android specifically deals with three vulnerabilities. The good news is that Google has patched the problems with an update to Android. Unfortunately, many third-party device makers can take weeks, if not months, to roll out security patches to their own phones. So you won’t be protected until your Android handset receives the 2019 Feb. update.
Still, Google hasn’t released technical details of the flaw. That means it won’t be easy for anyone to discover the hacking method. The company has also received no reports of anyone exploiting the vulnerability against real users.