Your Android could be pwned by simply viewing an innocent-looking image – be it from browsing the internet or an image received via text – according to the Android Security Bulletin issued this month. While this certainly doesn’t apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids – those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0).
The latest bulletin lists 42 vulnerabilities in total – 11 of which are rated as critical. The most severe critical flaw is in Framework; it “could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”
Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let’s get real: Even if your Android still receives security updates, there’s no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.