Patch your Android now against critical .PNG image bug

Graham Cluley

Patch your Android now against critical .PNG image bug

Patch your Android now against critical .PNG image bug

Android users are being reminded to be careful about the files they open on their smartphones, after the discovery that harmless-looking image files could be harbouring malicious code.

In its Android Security Update for February, Google has detailed three critical security vulnerabilities in the way the Android operating system handles .PNG (Portable Network Graphic) files.

According to the advisory, a maliciously-crafted PNG image file could execute code on vulnerable Android devices, potentially hacking phones and granting access by a remote attacker.

The newly-discovered flaws affect millions of devices running versions of the Android operating system from Android 7.0 Nougat to the latest Android 9.0 Pie, and an attack could be activated by tricking a user into viewing a boobytrapped PNG image sent via email or a messaging app.

The silver lining on the cloud is that to date Google has not seen any evidence that the flaw is being exploited in real-world attacks. But that, of course, may only be a matter of time.

This isn’t, sadly, the first time that the Android operating system has been found sorely lacking when it comes to handling boobytrapped files. In 2015, for instance, the Stagefright bug made worldwide headlines after it was shown hackers could imply send a maliciously-crafted multimedia message to an Android phone, and gain access to its data and even its camera.

More detailed descriptions of the latest PNG-related flaws are expected in the days ahead, but my advice is don’t delay – patch your Android phone as soon as a security update is available.

But that’s the big issue isn’t it? “As soon as a security update is available.”

Whether you’re one of the lucky ones who will receive a security update for your Android smartphone rests in the hands of who manufactured your device, and their keenness to push out patches via your carrier.

If you have a phone recently manufactured by the likes of Google, LG, or Samsung then you’re perhaps much more likely to be able to get your hands on an update within a reasonable period of time than if you purchased a device from a lesser-known manufacturer.

If you haven’t received an update yet from your manufacturer/carrier then it’s time to start the stopwatch.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Patch your Android now against critical .PNG image bug”

  1. As if just a simple patch can even be downloaded… You forget the carriers are the ones who delay these security updates. One can't just go grab the update when they want just to protect against a bug.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.