Android users could be remotely hacked simply by viewing a legitimate-looking PNG image, Google has warned in its latest security update.
The Android Security Bulletin for February lists 42 vulnerabilities in the Google mobile operating system, 11 of which are critical.
“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” it warned.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
Although there are no reports of users being actively targeted in the wild via this vulnerability, this could change as the window for individual ecosystem vendors to issue patches can run into several weeks or even months.
“Vulnerabilities like these bring to light the disparate update strategies across Android phones,” explained Tripwire VP, Tim Erlin. “While those on Google devices will receive timely security fixes, other manufacturers may wait months to protect users from attackers. Of course, users have to actually apply updates to protect themselves."
Simon Wiseman, CTO at Deep Secure, explained the criticality of the flaw.
“It means your web browser can fetch a crafted image from a website and the attacker now is in control of your browser and its environment. That means it has access to your stored passwords and you’ve given away access to all the secure sites you visit,” he said.
“The same goes for your email client — the attacker has control of your mailbox so can intercept your mail, perfect for harvesting password resets, and generate mail on your behalf, ideal for propagating the attack within your organization.”
He recommended users search for updates daily and erase all passwords from their mobile browsers as an extra precaution.