UPDATED 21:33 EDT / FEBRUARY 07 2019

SECURITY

Android vulnerability allows hackers to hijack a device using a PNG image file

A vulnerability in Google LLC’s Android operating system can allow hackers to hijack a device by simply displaying an infected PNG image file.

The vulnerability, found in Android 7.0 Nougat through to Android 9.0 Pie, was first disclosed by Google in an Android Security Bulletin published Feb. 4.

Google was reserved in providing specific details about how the vulnerability works, noting only that it related to Android’s Framework.On the positive note, there are no known cases of the vulnerability being exploited in the wild.

The vulnerability has been patched in the February Android Open Source Project repository, but unlike Apple iOS devices, which can receive security updates when they are available, Android devices require updates from either the smartphone maker or a users’ carrier.

In effect, this means that Android users, those who are not using Google-branded devices, may have to wait months to receive a security update and that’s presuming they receive one at all.

Craig Young, computer security researcher for Tripwire Inc.’s Vulnerability and Exposure Research Team, told SiliconANGLE that it appears that the vulnerability is directly related to how Android parses, that is interprets, an image before rendering it.

“It’s alarming to learn that modern Android OS still parses media files within a privileged context,” Young said. “After Stagefright, a lot of work was done to insulate libStagefright and other media server components, but it seems that event did not lead to the Skia Graphics Library receiving this same treatment.”

The Skia Graphics Library is an open-source 2-D graphics library that provides common application programming interfaces across a variety of hardware and software platforms.

It serves as the graphics engine for Google Chrome and Chrome OS, Android, Mozilla Firefox and Firefox OS, although it’s not currently known if other platforms may be exposed to the vulnerability as well.

“Generally speaking, media processing is one of the highest-risk activities,” Young added. “Automated media parsing should be kept to a minimum and it should always happen within an isolated execution environment. Linux distributions are gradually learning this lesson after a series of critical flaws in important packages like GStreamer, ImageMagick, and GhostScript put users and web sites at risk.”

Photo: 143601516@N03/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU