Android devices could be hacked by viewing a malicious PNG Image

Google patched a critical flaw in its Android OS that allows an attacker to send a specially crafted PNG image file to hack a target device,

Opening an image file on your smartphone could allow attackers to hack into your Android device due to three critical vulnerabilities,
CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988.

The flaws affect millions of Android devices running versions of the Google OS, ranging from Android 7.0 Nougat to the latest Android 9.0 Pie.

Google addressed the three vulnerabilities in the Android Open Source Project (AOSP) as part of the February Android Security Updates.

Even if Google has addressed the flaws, each vendor will have to distribute the patch for its models and this process usually doesn’t occur on a regular basis.

Researchers at Google did not provide technical details for the flaws, the tech giant only reported that the security updates addressed a “heap buffer overflow flaw,” “errors in SkPngCodec,” and vulnerabilities in some components that render PNG images.

According to the security advisory published by Google, the most severe of the three vulnerabilities could allow a maliciously crafted .PNG image file to execute arbitrary code on the vulnerable Android devices.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.” reads the security bulletin.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Experts pointed out that an attacker could exploit the flaw by tricking potential victims into opening a maliciously crafted PNG image file on their Android.

The malicious image could be sent through a mobile message service or an email app.

Google addressed three critical flaws in The Framework component, the overall number of critical issues is 11. The tech giant addressed a total of 42 flaws, 30 of which were rated high severity.

Google fixed 4 flaws in Android components manufactured by NVIDIA and five by the chip maker Qualcomm.

The good news is that Google is not aware of active exploitation of the flaws addressed by the company in the wild.

Google reported the flaws to its partners in January.

“Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. ” concludes Google.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Android, PNG)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.