It should be no surprise by now that your phone can be hacked. But did you know it can be done just by you looking at an image on your phone?
Yes, I know this particular vulnerability doesn’t really pass as “news” anymore. It was patched on February 4, and The Inquirer reported about it over two weeks ago. But I drafted this post the day Google released the February Android security bulletin, and there’s no way in hell that effort will go down the drain. So this post gets published, news-worthy or not!
So what’s the issue? Let’s see what Google writes in their February security bulletin:
The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.
– Android Security Bulletin - February 2019
Hey, Kids, Wanna Look at Some Cat Pics?
The security vulnerability in questions lies in the underlying framework used to display images on Android devices. In practice, this means that an attacker can install malware on an Android device simply by making the handset display an image.
It doesn’t matter what application displays the image. It can be displayed by the e-mail client, the web browser, or even the Facebook client. All these apps use the built-in image capabilities of Android to display the image. The latter case is less likely, though. Images displayed by the Facebook client, is processed and analyzed to the bone by Facebook when they are uploaded. This process will probably inadvertently remove the malicious code, or at least turn it into useless garbage.
Not the First Time
This is not the first time Google’s Android operating system has been hit by a ridiculous security vulnerability. Back in 2015, a series of bugs affecting, in part, how Android handled MMS messages were announced. The reveal came at a time when giving serious security vulnerabilities fancy names and logos. These particular ones were known as Stagefright.
Using Stagefright bugs, an attacker could perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. The Stagefright attack required no end-user interaction. All that needed to be done was to send a specially crafted MMS message to the victim.
Stagefright was a marvelous mess. The good news this time around is that no code exploiting the new image rendering vulnerability has been spotted in the wild. This doesn’t mean that it hasn’t been used against anyone, though. I would be very surprised if it hasn’t been utilized as a 0-day in targeted attacks by nation states or similarly powerful organizations.
And Not the Last Time
How is this even possible!? A mobile operating system is an inherently complicated piece of software, and it will always contain serious bugs and vulnerabilities. Since the mobile phone is every nation’s wet surveillance dream, intelligence agencies around the globe are working hard to find and exploit every vulnerability they can find. And they find plenty.
The Android ecosystem faces another challenge when it comes to security problems: Patching them. Unless you have a Google Pixel or an Android One device, you won’t get any security patches in a hurry. Most Android handset manufactures usually lag months - and often more - behind on available security patches. And that the latest image bug affect three major versions of Android doesn’t help.
Personally, I have a Samsung phone. They have a surprisingly short turn-around when it comes to merging Google’s security patches into their modified version of Android. I got the February patches today, a mere 19 days after they were published by Google.
Vulnerabilities like this will surface from time to time. The best way to approach the issues is probably to assume that you’ve already been hacked.
This post has no feedback yet.
Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to
vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.