Android vulnerability allowed for PNG files to execute malware

The Android security team found a vulnerability that allowed malicious code to be attached to PNG image files and potentially gain privileged access to a device. The issue was fixed with the latest software security update.
This is a discussion for a news article. To read the whole news, click here

14 Comments

1. RebelwithoutaClue unregistered

Might want to change the PGN to PNG in the title ;)

2. Panzer

Posts: 282; Member since: May 13, 2016

Per the report "The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed." First you have unlock your bootloader to get even think about root privileges. Then you install a custom recovery, then flash a specific super user program. Then you would have to stupidly allow all root privileges without asking (default is to ask). Then you would have find one of these pngs in the wild. Unless I am reading this wrong the chances of this affecting anyone is none unless you are really stupid.

3. clarity

Posts: 56; Member since: Jun 19, 2017

You can have root privileges without unlocking the bootloader. That's the principle of "jailbreaking".

6. Panzer

Posts: 282; Member since: May 13, 2016

Curious which devices allow this. I have rooted Nexus devices LG G2 to G4, a few Samsungs, a Sony an Umi. Always had unlock bootloader to get custom recovery to the flash the SU. If the devs at XDA can't get root on carrier Samsung devices I highly doubt this bug is going to get root access.

8. clarity

Posts: 56; Member since: Jun 19, 2017

On the lg g2 and g3, you don't need to unlock the bootloader to root. LG G2 and LG G3 have a bootloader bug that allows you to run unsigned images.

9. Panzer

Posts: 282; Member since: May 13, 2016

Thank you was not aware of that exploit. Marshmallow and beyond changes to SE Linux made it much more difficult to obtain root. If the system does not warn you have root many apks check for root and will not work. My bank and Netflix are examples. You would have to hide root from them. You have a better chance of winning the lottery then this being an issue. https://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/

12. ullokey

Posts: 178; Member since: Jul 28, 2015

Jailbreaking on Android phones?

13. clarity

Posts: 56; Member since: Jun 19, 2017

the act of breaking the software security of a device is called jailbreaking.

4. tangbunna

Posts: 480; Member since: Sep 29, 2016

what is Candle Compression? new melting technology?

5. civicsr2cool

Posts: 269; Member since: Oct 19, 2016

So.. Root on US Samsung phones when???

7. 7thlvl

Posts: 60; Member since: Dec 09, 2018

Right, thats what I was thinking.

10. obedchuni

Posts: 335; Member since: Jun 16, 2014

Root on Samsung non us phone? I was thinking

11. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

wicked, you understand now why I can't use an Android device without support?

14. tonyjeny

Posts: 2; Member since: Feb 18, 2019

PNG images are an indispensable format in every device when using images, I use PNG image files to work every day. jpg4png.com this is the best jpg to png image converter I've seen. can help people.
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.