Hacked By Opening a PNG image on your Android Phone?

Receiving, forwarding pictures on your android phone could get your hacked.

On February 7, 2019, Google reported a serious bug in its Android Security bulletin. They revealed that hackers are now able to hack into an Android smartphone via malicious PNG files. This means that your phone could be hacked, simply by opening a PNG.

Google hasn’t revealed the full details of the hack, but the three vulnerabilities have been identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988. This vulnerability has been patched by Google as part of the February Android Security Updates, however not every manufacturer rolls of updates every month. This leads thousands of Android users vulnerable to this type of attack.

The attack is thought to work like this. A user would receive a malicious PNG(image)  file over a messaging service/email , and click on the image to expand it. The PNG image would then be able to execute arbitrary code onto the vulnerable device.

Google says:

“the most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”

Google has stated that they have not seen any examples of this attack in the wild, and they are not aware that these vulnerabilities have ever been exploited. This is likely why Google is not releasing the full details of the process since many users will still have unpatched phones and hackers will now be working to exploit this.

It is also not clear exactly when these vulnerabilities were identified, however, Google did state that they notified its Android partners of them a month prior to publication.

Other security fixes were also issued in February’s bundle. It’s important to note that Android now only releases security updates for Android 7 to 9.

The library has four flaws:

• CVE-2017-17760 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9;
• CVE-2018-5268 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9
• CVE-2018-5269 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9;
• CVE-2017-18009 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

System has eight flaws:

• CVE-2019-1991 affection versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9;
• CVE-2019-1992 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9;
• CVE-2019-1993 affecting versions 8.0, 8.1, and 9;
• CVE-2019-1994 affecting versions 8.0, 8.1, and 9;
• CVE-2019-1995 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9;
• CVE-2019-1996 affecting versions affecting 8.0, 8.1, and 9;
• CVE-2019-1997 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9;
• CVE-2019-1998 affecting version 9.

Security on Android is a significant concern due to how infamously slow Android devices are to get updates. As of August 2018, only 1.1% of Android users had access to the February 2018 update. The company Security Research Labs conducted research that alleged that several Android manufacturers were lying to their customers about missed security patches. When the researchers highlighted the issue to Google, they said:

“We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users.

Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”