Google Fixes Critical PNG Security Bug, but Millions of Android Smartphones Still Vulnerable

Google recently began the rollout of the February 2019 Android security update that addresses a total of 42 Problems and fixes vulnerabilities of varying severity levels.

But if you think this is just a normal security update, you might want to reconsider. Among the vulnerabilities fixed by Google could allow a hacker to seed malware by just sending a photograph in PNG format. And when users start the picture, it triggers the exploit and allows bad actors to execute arbitrary code and wreak havoc.

This is how Google describes it, saying in its February Android 2019 safety patch notes,”The most severe of these issues is a critical security vulnerability in Framework that could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.” But despite Google having identified and fixed the issue, there’s little respite for the countless Android smartphone users out there. Why? The February 2019 Android security update has just been released for the Pixel smartphones, the Pixel C tabletcomputer, as well as the Vital Phone. Obviously, the amount of Pixel apparatus out there’s apparently nothing compared to the millions of Android smartphones from some other brands. To further aggravate the matter, the majority of at-risk users have never been advised as to if their Android smartphone will receive the February 2019 Android security update and protect them.

Thus, what could be done in this case? The best solution would be to not open a picture, especially a PNG file received via an untrusted email, SMS, or on a messaging platform. To put it, opening the infected PNG file will trigger the tap and may open the floodgates for downloading malware on the device.

The critical vulnerability has been spotted in three forms (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) and impacts Android smartphones operating Android 7.0 or even a greater build going all of the way around Android Pie. Google claims that so much, no incidents of poor actors exploiting the important security bug have been reported so far. Additionally, Google has notified all of Android partners about the security bug one month prior to publishing details of their vulnerabilities and has also introduced the code patches to the Android Open Source Project (AOSP) repository.

While Pixel users have obtained an update to spot the crucial vulnerability, other smartphone makers are yet to launch an update to address the matter in their offerings. Until this occurs, we recommend that you refrain from opening PNG files received from unknown people and download the security update as soon as it becomes available.


Please enter your comment!
Please enter your name here