Google claims that this vulnerability has not yet been exploited in the wild
Ethical hacking and network security
specialists from the International Institute of Cyber Security recommend
smartphone with Android
operating system users to be cautious when opening or downloading images on their
devices because, oddly enough, this could compromise users’ security.
According to recent reports, just by looking at
a seemingly harmless image a smartphone with Android OS could be hacked, this
due to three recently discovered critical vulnerabilities. These flaws are
present in millions of devices that work with that operating system, from the
Android versions Nougat 7.0 to the latest Android 9.0 Pie.
Vulnerabilities, tracked as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988,
were patched by Android Open Source Project as part of their security updates
for February 2019, report network
security specialists.
The problem is that not all smartphone
manufacturers launch their security updates on a monthly basis, so mitigation
for these vulnerabilities will not be available to all Android devices at the
same time.
Google’s network security team has not revealed
further technical details about the exploitation of these vulnerabilities,
although the updates available to the operating system mention repairing some
bugs like “buffering overflow”, ”SkpPngCodec errors”, and some more flaws in
various components that render PNG format images.
Reports indicate that one of the three reported
vulnerabilities could allow a specially crafted PNG image to execute arbitrary
code on a compromised device. Of the three vulnerabilities found, this is the
most severe, according to Google’s security teams.
A malicious actor could exploit this
vulnerability if they manage to deceive users to open or download the malicious
PNG file on their devices (it is impossible for the user to detect the payload
in this image at the naked eye). The image can reach the user through an
instant messaging service, as an attachment in an email, or it can be
downloaded from any webpage.
In February updates, Google also included fixes
for 42 vulnerabilities in the Android OS in total; 11 considered critical, 30
high impact and one medium-gravity. The company stresses that there is no
evidence that any of these vulnerabilities have been exploited in the wild.
Finally, the company claims that it had already
notified its partners working with Android on the vulnerabilities weeks before
the publication of these reports, and added that the source code of these fixes
will be published shortly in Android Open Source Project repository.
