A critical vulnerability was found in the Android OS in which opening a cute or innocent photo in .PNG format could compromise the Android device.
The vulnerability was noted in the Google’s Android security update advisory for February. The attackers can activate the bug by sending a crafted, malicious Portable Network Graphic (.PNG) file to a victim’s device through a mobile message app or email app. The exploit is triggered when the user opens the file. After that the remote attackers can execute arbitrary code in the context of a privileged process.
All Android versions from 7.0 to 9.0 are impacted by this flaw. The vulnerability which is the most severe security issue in the February update was one of three bugs affecting Android Framework — CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988.
At present there aren’t any reports regarding the vulnerability being exploited in the wild. The users are advised to accept incoming updates to their Android devices as early as possible.
Since all handset manufacturer does not roll out security patches monthly, it is not sure whether your Android device will get these security patches anytime sooner.
Google has not disclosed the technical details of the exploit to mitigate the risk of attack. Including these three flaws, Google has patched a total of 42 security vulnerabilities in its mobile operating system, 11 of which are rated critical, 30 high and one moderate in severity.
Google stated that they have notified their Android partners of these vulnerabilities a month before publication and so the source code patches for these issues will be released to the Android Open Source Project (AOSP) repository within the next 48 hours.