While the fight for data encryption and security is becoming fierce, hackers worldwide are also devising new means to inflict unsuspecting smartphone users.
Recent in these waves of attacks is the potential of an Android phone being hacked by glancing a PNG image downloaded from the Internet.
Google made this announcement during its latest security update, listing up to 42 vulnerabilities in its mobile operating system.
The severity of these newly discovered vulnerabilities, 11 of which are most critical, is that glancing a seemingly innocuous image on the internet can hack millions of Android devices ranging from the Android 4.4t to its latest 9.0 Pie OS.
This development comes in the wake of the Stagefight Bug, a code that allowed malicious hackers to hijack Android devices with a simple text message—without the owners coming to full knowledge of it. It had resided in the core Android component, a multimedia playback library that functions through processing, recording and playing multimedia files.
Google engineers have postulated that any application using Java Object ExifInterface code is prone to be vulnerable to this current issue.
According to SentinelOne expert, Tim Strazzere—who first discovered this oddity, when an unsuspecting victim opens a PNG file within an affected app like Gmail, a hacker can remotely crash the phone, or execute malicious codes and take control of the phone. Tim disclosed this in published post on Forbes.
Strazzere noted that as soon as the application attempts to automatically parse the image, the hack is executed instantly. He also disclosed that the image-based hack on affected devices was mostly found on Gchat, messenger and social media apps.
Google rewarded Strazerre with a sum of $4,000 as part of the company’s bug bounty program.
The vulnerabilities, identified by CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988 have been patched by Google and released in its February Android Security Updates. It is however unclear when smartphones companies would implement the updates across their devices.