• United States



Android phones can be hacked remotely by viewing malicious PNG image

Feb 11, 20193 mins
AndroidInternet of ThingsSecurity

Android users are being told to patch their Android OS Nougat (7.0), Oreo (8.0) and Pie (9.0) as soon as updates are available after a bug related to PNG images was found.

Android robot and gears emerging from isometric mobile phone screen
Credit: cenkerdem / Getty Images

Your Android could be pwned by simply viewing an innocent-looking image – be it from browsing the internet or an image received via text – according to the Android Security Bulletin issued this month. While this certainly doesn’t apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids – those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0).

The latest bulletin lists 42 vulnerabilities in total – 11 of which are rated as critical. The most severe critical flaw is in Framework; it “could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”

Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let’s get real: Even if your Android still receives security updates, there’s no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.

More cybersecurity news

Thousands of internet-connected freezers can be remotely defrosted due to default passwords

Hackers can remotely defrost thousands of networked industrial refrigerators/freezers used in hospitals, supermarkets and restaurants, as security researchers determined that temperature control systems manufactured by Resource Data Management use default passwords.

To defrost a machine – a system which can be accessed via a browser – Safety Device researchers said, “All you’d need to do is click a button and enter the default username and password.” The researchers found 7,419 RDM products thanks to Shodan, including the largest pharmaceutical company in Malaysia, and advised users to change the default password or attackers might gain control of the systems.

Would you wear a corporate-issued fitness tracker if it lowered your insurance premiums?

If you could get a free fitness device, but only via your company, would you be game? Apple and Aetna have teamed up, created a health tracking app, and even offer participants an option to earn a free Apple Watch. Fitbit’s newest health tracker, Inspire, is available “exclusively through Fitbit corporate, wellness, health plan, and health systems partners and customers of their organizations, participants, and members.” I guess we’ll see how many people are game for this type of corporate tracking, as it would likely be used as an incentive to get lower insurance premiums. People seemd to like this sort of thing for auto insurance because a surprising number of people installed the plug-in safe-driver-type tracking devices in vehicles as a way to potentially lower auto insurance premiums.

If you don’t see a problem with it, then you might be interested in reading “Why data, not privacy, is the real danger” on NBC News. Granted, the article talks about Facebook and Google, but it focuses on what can be done with the data collected from users. Aza Raskin, co-founder of the Center for Humane Technology, pointed out, “I get that it’s creepy to imagine they listen to your conversations. But isn’t it more creepy that they can predict what you’re talking about without listening in? It’s this little model of you. You are super predictable to these platforms. It’s about persuasion and prediction, not privacy.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.