Never has downloading an image of a cute puppy been so dangerous. Google has disclosed a vulnerability in Android Nougat and above where hackers are luring users by tricking them through a cute PNG file. Remote attackers created PNG files that would execute arbitrary code to give privileged access to bad actors. Getting users to open the PNG file could be as easy as hiding the code behind a cool image, or something seemingly innocent. Google says it has already released a patch through its Android Open Source Project (AOSP) repository. However, in terms of security, the company’s software model is harmful.
Fix Problems
Android updates to not roll out uniformly, with OEMs able to decide when to release patches. This has led to the laughably fragmented Android ecosystem and the truth is some security patches and updates may never arrive. Also, there is no way to know if a device has been hacked by this latest ploy. Google did not describe the technical details of the vulnerability or any potential mitigations. We do know the fix was issued this month, so there is a chance most Android users have yet to receive it. Obviously, the best way to prevent being hacked in this manner is to simply avoid opening PNG files from untrusted sources, or from contacts who are passing it along.
