Published: Sun, February 10, 2019
Tech | By

Your Android Phone Could Get Hacked Just By Opening A PNG Image

Your Android Phone Could Get Hacked Just By Opening A PNG Image

What's the harm in opening a digital image? Well, Google has uncovered a brand new security vulnerability that can be employed to hack Android smartphones using a PNG file.

In Google's latest Android security bulletin, the search giant fesses that one vulnerability could enable a PNG file that's been loaded with malicious code to be executed within an Android app if said application views it. The best solution is to not open an image, specifically a PNG file received via an untrusted email, SMS, or on a messaging platform.

The vulnerability was one of three bugs impacting Android Framework - CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988 - and is the most severe security issue in the February update. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible. A serious flaw in the operating system's framework can let a remote attacker execute computer code on an Android device by using a "specially crafted PNG file", the notice said.

Once opened, the malicious code could start running malware on an Android smartphone or tablet with high-level privileges, where it could then wreak havoc.


Craig Young, computer security researcher for Tripwire Inc.'s Vulnerability and Exposure Research Team, told SiliconANGLE that it appears that the vulnerability is directly related to how Android parses, that is interprets, an image before rendering it.

Although there are no reports of users being actively targeted in the wild via this vulnerability, this could change as the window for individual ecosystem vendors to issue patches can run into several weeks or even months.

Still, Google hasn't released technical details of the flaw.

The vulnerability has been patched in the February Android Open Source Project repository, but unlike Apple iOS devices, which can receive security updates when they are available, Android devices require updates from either the smartphone maker or a users' carrier.

Like this: