Google Fixes A Bug That Could’ve Used Single Image To Hack Millions Of Phone

Share on twitter
Tweet
Share on whatsapp
WhatsApp
Share on facebook
Share
image-hack

image-hackShort Bytes: Google has fixed a critical vulnerability in its September security patch level. The vulnerability exists in the way the Exif data of an image is parsed by some Android apps. The vulnerability could allow an attacker to brick the device or do remote code execution without the knowledge of the user.

With the September Security Patch Level, Google has fixed an unknown vulnerability (CVE-2016-3862) which was reported by the director of Mobile Research at SentinelOne, Tim Strazzere. The security patch update has also fixed the scary Quadrooter bug which was being patched in phases.

Strazzere was awarded a bounty for reporting the “Remote code execution vulnerability in Mediaserver”. Google gave $8000 (including Strazzere’s $4000 bounty) to GirlsGarage. It is a building program and dedicated workspace for girls between 9 and 13.

The vulnerability, which is flagged critical by Google, allows an attacker to take control of an Android device using an image. It doesn’t require that image should be put as a bait in front of the user. Instead, a modified image that gets loaded in affected apps like Gmail can allow the attacker brick the device or perform remote code execution.

The exploit lies in the way some Android apps parse the Exif data of an image using the ExifInterface object. The user wouldn’t know their device has been compromised. Strazzere said that triggering the bug could be as simple as receiving an email or message. “Once that application attempts to parse the image (which was done automatically), the crash is triggered.”

“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” – Strazzere told Forbes.

The security patch update will be pushed to devices running Android 4.4.4 KitKat and higher. The researcher went back to Android 4.2 to see if the exploit works and it did. These older devices may not be patched. If you’re the one using the ancient android version, it is the time to put some cash out of your pockets.

An OTA update for all supported Nexus devices has been pushed on September 6, 2016. For non-nexus devices, a soon to be released update would be in the works.

If you have something to add, tell us in the comments below.

Also Read: 27-year-old Programmer Arrested For Hacking Linux Kernel Website

Aditya Tiwari

Aditya Tiwari

Aditya likes to cover topics related to Microsoft, Windows 10, Apple Watch, and interesting gadgets. But when he is not working, you can find him binge-watching random videos on YouTube (after he has wasted an hour on Netflix trying to find a good show). Reach out at [email protected]
Scroll to Top