Android security flaw enables hackers to execute malicious code - just from a PNG image

Vulnerability in the Android operating system framework can be triggered simply by opening a PNG image

Google has issued a critical warning about a newly discovered Android security flaw, which enables attackers to remotely execute malicious code embedded in PNG image files.

The company disclosed the issue this week in its Android security update, where it provided details of three vulnerabilities that could affect millions of smartphones running Android, from Android 7.0 Nougat to the latest, Android 9.0 Pie.

Google's advisory reveals that the most severe of the newly-discovered vulnerabilities enables attackers to create malicious PNG images capable of running arbitrary code on vulnerable devices. The vulnerability exists in the Android OS's framework and gets triggered as soon as the user opens the PNG file.

Two other bugs revealed by Google are related to Android's handling of Bluetooth signals, and could enable a maliciously crafted transmission to run arbitrary code on the device.

Patches for these vulnerabilities have been released to the Android Open Source Project repository, but the fragmented nature of Android means that many users may never apply the patches.

Google's bulletin also provided details of other flaws affecting Android system files, library, and Nvidia components.

In total, Google patched 42 vulnerabilities in Android. These included fixes for three remote-code execution bugs, four library flaws, eight system flaws, four Linux kernel flaws, and four bugs in Nvidia's drivers.

Eleven of these 42 vulnerabilities are rated 'critical' in severity; thirty are 'high', while one is classified as merely 'moderate'.

According to Google, no user has so far reported any "active customer exploitation or abuse of these newly reported issues", but with the flaw now public it's only a matter of time before exploits start appearing in the wild.

Users whose Android device's security patch is dated February 2019 need not worry about new vulnerabilities as their devices are up to date. Other users should check for updates and install them, if available.

"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform," Google informed in its Android security bulletin.

"We encourage all users to update to the latest version of Android where possible."