Good news for Android users. Google has fixed a critical vulnerability that affected Android devices. This bug helps cybercriminals hack Android devices by sending specially crafted PNG (Portable Network Graphics) image files and using the same to execute arbitrary codes.
Threatpost reports, “Google has patched a critical vulnerability in its current and legacy versions of its Android operating system, which allow an attacker to send a specially crafted Portable Network Graphics (.PNG) image file to a targeted device and execute arbitrary code.”
The report further says, “In its February Android Security Bulletin, Google lists three critical Android Framework vulnerabilities (CVE-2019-1986, CVE-2019-1987, CVE-2019-1988), one of which is associated with the .PNG bug. Impacted versions of its Android OS range from Nougat (7.0) to its current Pie (9.0).”
The Android Security Bulletin for February 2019 says, “The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
A hacker could exploit this vulnerability and gain access to an Android device by sending an image with a malware or by sending a malicious link via mobile message service. The Android Security Bulletin clarifies that there are no reports of the vulnerability, or for that matter, any of the vulnerabilities included in the bulletin, being exploited in the wild. “We have had no reports of active customer exploitation or abuse of these newly reported issues,” says the bulletin.
11 critical bugs were reported on February 4, of these three were Framework vulnerabilities. Google had released a total of 42 fixes, of which 30 were high severity ones. The detailed descriptions of CVEs included in the Android Security Bulletin for February would be available soon.