Google began roll out of February security patch for its Pixel phones early this week. The update brings fixes to a number of known vulnerabilities in Android operating system including some that have been categorized as critical. One such vulnerability being fixed by Google has the ability to allow any hacker to take control of your device by just sending a photo in PNG format. When an Android user opens such an image, the malware triggers the exploit and then allows attacker to remotely execute arbitrary code and thus take control of your device.
The attack vector is similar to the critical media bugs that have been addressed by Google in the past that allows users to take control of the host device by seeding malware through a downloadable video file. “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” Google said in its security bulletin for February 2019, that details the vulnerabilities fixed with this update.
This critical vulnerability has been spotted in three forms (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) and affects smartphones running Android 7.0 Nougat or higher. While Google has identified and addressed the vulnerability, it seems that not Android devices are safe from this threat. Since the February 2019 security patch has been released only to a handful of devices, including Google’s own Pixel range of smartphones, Pixel C tablet and the Essential Phone, there are millions of active devices which are at a risk of being targeted by bad actors.
Google says it offers the monthly security patch to its OEM partners at least a month in advance but we have not heard from smartphone makers as to when then plan to release security patch for their devices. The search giant also notes that there are no known incidents of hackers exploiting the bug to affect user devices just yet. It is not clear when other Android smartphone makers will release the update to their own devices.
Watch: Google Pixel 3 XL Hands-On
Considering the critical nature of this bug, it is recommended that you do not open an image, especially a PNG file received via email, SMS or any other messaging platform from users you do not trust. Android users must note that bad actors will target their devices using a PNG file, which will then execute arbitrary code to gain privileged access.