Beware! You have to remain more caution while opening an image
file on your smartphone—downloaded anywhere from the Internet or
received through messaging or email apps.
Yes, just viewing an innocuous-looking image could hack your
Android smartphone—thanks to three newly-discovered critical
vulnerabilities that affect millions of devices running recent
versions of Google’s mobile operating system, ranging from Android
7.0 Nougat to its current Android 9.0 Pie.
The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987,
and CVE-2019-1988, have been patched in Android Open Source Project
(AOSP) by Google as part of its February Android
Security Updates.
However, since not every handset manufacturer rolls out security
patches every month, it’s difficult to determine if your Android
device will get these security patches anytime sooner.
Although Google engineers have not yet revealed any technical
details explaining the vulnerabilities, the updates mention fixing
“heap buffer overflow flaw,” “errors in SkPngCodec,” and bugs in
some components that render PNG images.
According to the advisory, one of the three vulnerabilities,
which Google considered to be the most severe one, could allow a
maliciously crafted Portable Network Graphics (.PNG) image file to
execute arbitrary code on the vulnerable Android devices.
As Google says, “the most severe of these issues is a critical
security vulnerability in Framework that could allow a remote
attacker using a specially crafted PNG file to execute arbitrary
code within the context of a privileged process.”
A remote attacker can exploit this vulnerability just by
tricking users into opening a maliciously crafted PNG image file
(which is impossible to spot with the naked eye) on their Android
devices sent through a mobile message service or an email app.
Including these three flaws, Google has patched a total of 42
security vulnerabilities in its mobile operating system, 11 of
which are rated critical, 30 high and one moderate in severity.
The technology giant stressed that it has no reports of active
exploitation or in the wild abuse of any of the vulnerabilities
listed in its February security bulletin.
Google said it has notified its Android partners of all
vulnerabilities a month before publication, adding that “source
code patches for these issues will be released to the Android Open
Source Project (AOSP) repository in the next 48 hours.”
References
- ^
February Android Security Updates
(source.android.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/o-SafcSHV1w/hack-android-with-image.html