IT'S NO SECRET that Android isn't always the most secure mobile operating system, but getting potentially pwned by a PNG - even for Google's mobile OS - is a bit much.
In Google's latest Android security bulletin, the search giant fesses that one vulnerability could enable a PNG file that's been loaded with malicious code to be executed within an Android app if said application views it.
Once opened, the malicious code could start running malware on an Android smartphone or tablet with high-level privileges, where it could then wreak havoc.
But before you panic and hurl your Android phone out of the window, Google notes that for such malicious code to work, "the platform and service mitigations are turned off for development purposes or if successfully bypassed". But it does seem a tad basic that a standard PNG file with a bit of nasty code behind it could be executed at a privileged level.
It's also worth noting that Google didn't report such an exploit being used in the real world, which probably suggests that hacking has moved a bit beyond inserting code into PNG files.
Google also detailed a suite of other flaws its scraped off and fixed in Android, including one sever vulnerability at the "library" level which "could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process".
And a similarly severe flaw at the system level could also allow a remote attacker to execute arbitrary code at a privileged level if they were to craft a malicious transmission delivered over Bluetooth.
While users of Google's Pixel phones and smartphones that are part of the Android One programme are protected, those using OEM modified versions of Android will need to wait until the respective hardware makers kick out patches integrating Google's fixes for the discovered vulnerabilities.
So as ever, it's worth being cautious to what your tapping on and downloading until your phone gets a security update. To be honest, it's worth being careful with such stuff, in general, these days. µ
We should be shocked, but...
But the search giant has now squashed the bug
But it's not yet available here in Blighty