New Android Bug Can Let Hackers Attack Phone With PNG Image File

Haythem Elmir

What’s the harm in opening a digital image? Well, Google has uncovered a new method to hack Android smartphones using malicious PNG files.

The problem was disclosed this week in Google’s Android security bulletin. A serious flaw in the operating system’s framework can let a remote attacker execute computer code on an Android device by using a « specially crafted PNG file, » the notice said.

The bulletin is deliberately vague on details, but Google said the issue was the most critical security vulnerability to be addressed on the list. It isn’t hard to imagine why; by exploiting the flaw, a hacker could send harmless-looking PNG files to victims over email, a messaging app, or social media that in reality trigger an Android device to download additional malware.

It isn’t the first time security research has shown that PNG files can be rigged for dangerous effect. Experts have demonstrated that you can encrypt Android malware inside images as a way to evade antivirus software. A separate app can then read the image file and decrypt it to launch the hidden computer code inside.

The flaw found in Android specifically deals with three vulnerabilities. The good news is that Google has patched the problems with an update to Android. Unfortunately, many third-party device makers can take weeks, if not months, to roll out security patches to their own phones. So you won’t be protected until your Android handset receives the 2019 Feb. update.

Still, Google hasn’t released technical details of the flaw. That means it won’t be easy for anyone to discover the hacking method. The company has also received no reports of anyone exploiting the vulnerability against real users.


Laisser un commentaire

Next Post

Abusing Exchange: One API call away from Domain Admin

In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers […]