Patch your Android now against critical .PNG image bug

Flaw could be exploited by malicious attackers.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Patch your Android now against critical .PNG image bug

Android users are being reminded to be careful about the files they open on their smartphones, after the discovery that harmless-looking image files could be harbouring malicious code.

In its Android Security Update for February, Google has detailed three critical security vulnerabilities in the way the Android operating system handles .PNG (Portable Network Graphic) files.

According to the advisory, a maliciously-crafted PNG image file could execute code on vulnerable Android devices, potentially hacking phones and granting access by a remote attacker.

Sign up to our free newsletter.
Security news, advice, and tips.

The newly-discovered flaws affect millions of devices running versions of the Android operating system from Android 7.0 Nougat to the latest Android 9.0 Pie, and an attack could be activated by tricking a user into viewing a boobytrapped PNG image sent via email or a messaging app.

The silver lining on the cloud is that to date Google has not seen any evidence that the flaw is being exploited in real-world attacks. But that, of course, may only be a matter of time.

This isn’t, sadly, the first time that the Android operating system has been found sorely lacking when it comes to handling boobytrapped files. In 2015, for instance, the Stagefright bug made worldwide headlines after it was shown hackers could imply send a maliciously-crafted multimedia message to an Android phone, and gain access to its data and even its camera.

More detailed descriptions of the latest PNG-related flaws are expected in the days ahead, but my advice is don’t delay – patch your Android phone as soon as a security update is available.

But that’s the big issue isn’t it? “As soon as a security update is available.”

Whether you’re one of the lucky ones who will receive a security update for your Android smartphone rests in the hands of who manufactured your device, and their keenness to push out patches via your carrier.

If you have a phone recently manufactured by the likes of Google, LG, or Samsung then you’re perhaps much more likely to be able to get your hands on an update within a reasonable period of time than if you purchased a device from a lesser-known manufacturer.

If you haven’t received an update yet from your manufacturer/carrier then it’s time to start the stopwatch.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Patch your Android now against critical .PNG image bug”

  1. FAS

    As if just a simple patch can even be downloaded… You forget the carriers are the ones who delay these security updates. One can't just go grab the update when they want just to protect against a bug.

  2. Martin

    I wonder if this bug can be used to root phones that are locked down by the carrier…

Leave a Reply to Martin Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.