Google Fixes Critical PNG Security Bug, but Millions of Android Smartphones Still Vulnerable

Google Fixes Critical PNG Security Bug, but Millions of Android Smartphones Still Vulnerable

Google recently began the rollout of the February 2019 Android security update that addresses a total of 42 issues and fixes vulnerabilities of varying severity levels.

But if you believe this is just a regular security update, you might want to reconsider. Among the vulnerabilities fixed by Google might enable a hacker to seed malware by just sending a photo in PNG format. And as soon as users start the picture, it activates the tap and allows bad actors to remotely execute arbitrary code and wreak havoc.

But despite Google having recognized and fixed the matter, there is little respite for the millions of Android smartphone users out there. Why? The February 2019 Android security upgrade has just been released for its Pixel smartphones, the Pixel C tablet, and the Essential Phone. Obviously, the number of Pixel apparatus out there is apparently nothing in comparison with the millions of Android smartphones from some other brands. To further aggravate the matter, a vast majority of at-risk users have not been advised as to if their Android smartphone is going to receive the February 2019 Android security upgrade and protect them.

So, what can be achieved in this case? The best solution would be not to open an image, specifically a PNG file received via an untrusted email, SMS, or onto a messaging platform. The focus here is on a PNG file, because the critical vulnerability could be exploited via a specially crafted PNG file to execute arbitrary code within the context of a privileged process. To simply put it, opening the infected PNG file will activate the exploit and may open the floodgates for downloading malware on the device.

The critical vulnerability was seen in three kinds (CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988) and impacts Android smartphones operating Android 7.0 or even a greater construct going all the way up to Android Pie. Google asserts that so far, no incidents of bad actors exploiting the critical security bug have been reported up to now. Additionally, Google has already notified all Android spouses about the safety bug one month prior to publishing details of their vulnerabilities and has also introduced the code patches to the Android Open Source Project (AOSP) repository.

Even though Pixel users have received an upgrade to patch the crucial vulnerability, other smartphone makers are yet to release an update to address the issue on their offerings. Until that occurs, we advise you to refrain from launching PNG documents received from unknown people and download the security update when it becomes available.