2 min Security

Android vulnerability lets hackers take over devices via PNG image

Android vulnerability lets hackers take over devices via PNG image

A new vulnerability has been discovered in Android. This allows malicious parties to take over a device by simply infecting a PNG file with malware. The vulnerability affects Android 7.0 Nougat to Android 9.0 Pie.

Google reported about the vulnerability in its most recent Android Security Bulletin. The company did not reveal many details about the way in which the vulnerability works exactly. It just stated that it relies on Androids Framework. There are no known cases in which the vulnerability has actually been exploited.

Already solved

According to Google, the vulnerability has already been solved with the February Android Open Source Project repository. But unlike Apple devices, where a new update of iOS is immediately rolled out to all eligible devices, Android is less smooth. This is because manufacturers have to release the update themselves to smartphones and tablets. As a result, Android users who don’t use a Google device may have to wait a few months before they get the update – if at all.

How the vulnerability works exactly is not certain. It does seem to have something to do with the way Android processes images. At least that’s what Craig Young, a security researcher who works for Tripwire, says opposite SiliconAngle. Since Stagefright, a lot of work has been done to isolate libStagefright and other media server components, but it doesn’t look like the Skia Graphics Library has received the same treatment. And so Young finds the alarming news to get.

The Skia Graphics Library is an open-source 2D graphics library that serves as the graphics engine of Google Chrome, Chrome OS, Android, Mozilla Firefox and Firefox OS. Whether those other platforms outside of Android also have to deal with this vulnerability is not certain. But it is clear that there is still work to be done.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.