Google security update: Hackers can use PNG file to break into Android devices

Google security update: Hackers can use PNG file to break into Android devices
Photo Credit: Photo Credit: Thinkstock
11 Feb, 2019

Google disclosed in its February security update that it has fixed a flaw that compromised Android devices. However, the news did not go down well with security experts who reportedly slammed the tech giant for not recognising a malicious image that could trick users into viewing and installing the content.

The flaw is caused by a modified Portable Network Graphics (PNG) image, which affects devices running Android 7.0 Nougat and newer versions of the software, a report by tech news website Android Headlines stated.

PNG supports data compression through rasterisation of the graphics file. Experts alleged that the cause of the vulnerability has been due to Google not analysing media content for security flaws.

The new firmware has only been released on the Pixel mobile phone handsets and a few stock Android phones. Google has also reportedly updated its Android Open Source Project (AOSP) code to include this important patch. The alarming factor is that the global rollout of the security patch is expected to take some time.

Just opening the image would be enough to execute the malicious code onto a phone and complete the hack. These images could reportedly be sent as emails or even messages.

Google has codenamed the three vulnerabilities associated with the bug—CVE-2019-1986, CVE-2019-1988 and CVE-2019-1988. Most of the bugs were found on the recent versions of Android.

The first few phones to get the update were the Pixel, Pixel 2 and Pixel 3 models as early as 5 February 2019. However, other brands such as Motorola, Xiaomi, Asus, etc. haven’t been given a clear date for the security update.

Android users who still haven’t got the update could look out for a reliable custom ROMs (read only memory) online that has the patch inbuilt.

On 8 February, Google said in a blog that it has spent close to $3.4 million (roughly Rs. 24.19 crores) in 2018 alone to fix bugs across its channels as part of the vulnerability rewards programme. The initiative has reportedly paid out $15 million (around Rs. 106 crore) in rewards since the launch back in November 2010.  Half of the $15 million spent last year was solely spent on fixing bugs and security issues on the Android and Chrome platforms.