Patch your Android now against critical .PNG image bug

Flaw could be exploited by malicious attackers.

Patch your Android now against critical .PNG image bug

Android users are being reminded to be careful about the files they open on their smartphones, after the discovery that harmless-looking image files could be harbouring malicious code.

In its Android Security Update for February, Google has detailed three critical security vulnerabilities in the way the Android operating system handles .PNG (Portable Network Graphic) files.

According to the advisory, a maliciously-crafted PNG image file could execute code on vulnerable Android devices, potentially hacking phones and granting access by a remote attacker.

The newly-discovered flaws affect millions of devices running versions of the Android operating system from Android 7.0 Nougat to the latest Android 9.0 Pie, and an attack could be activated by tricking a user into viewing a boobytrapped PNG image sent via email or a messaging app.

The silver lining on the cloud is that to date Google has not seen any evidence that the flaw is being exploited in real-world attacks. But that, of course, may only be a matter of time.

This isn’t, sadly, the first time that the Android operating system has been found sorely lacking when it comes to handling boobytrapped files. In 2015, for instance, the Stagefright bug made worldwide headlines after it was shown hackers could imply send a maliciously-crafted multimedia message to an Android phone, and gain access to its data and even its camera.

More detailed descriptions of the latest PNG-related flaws are expected in the days ahead, but my advice is don’t delay - patch your Android phone as soon as a security update is available.

But that’s the big issue isn’t it? “As soon as a security update is available.”

Whether you’re one of the lucky ones who will receive a security update for your Android smartphone rests in the hands of who manufactured your device, and their keenness to push out patches via your carrier.

If you have a phone recently manufactured by the likes of Google, LG, or Samsung then you’re perhaps much more likely to be able to get your hands on an update within a reasonable period of time than if you purchased a device from a lesser-known manufacturer.

If you haven’t received an update yet from your manufacturer/carrier then it’s time to start the stopwatch.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

2 Responses

  1. FAS

    February 6, 2019 at 7:40 pm #

    As if just a simple patch can even be downloaded… You forget the carriers are the ones who delay these security updates. One can’t just go grab the update when they want just to protect against a bug.

  2. Martin

    February 7, 2019 at 1:31 am #

    I wonder if this bug can be used to root phones that are locked down by the carrier…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.