Experts Slam Google Over Android's Bizarre PNG Vulnerability


Cybersecurity experts slammed Google following the disclosure of a bizarre vulnerability affecting most Android users in the world. As revealed by the release notes attached to the February security update, Google's operating system can be compromised with a modified PNG file by simply tricking users into viewing an infected image.

Alarmingly laidback approach to media processing

Tripwire computer security researcher Craig Young called the vulnerability "alarming" and suggested the root cause of the issue is a frivolous approach to media content parsing on Google's part. The expert is particularly concerned with the latest development given how the newly patched vulnerability should have been preemptively addressed following the Stagefright incident since it's essentially enabled by an identical design oversight, except that it doesn't stem from the troublesome libStagefright library but the Skia graphics one.


Mr. Young described media processing as "one of the highest-risk activities," concluding that automated parsing of such files should be minimal in order to avoid scenarios wherein users unknowingly infect their devices with seemingly harmless media browsing.

Furthermore, no media parsing should ever be done in a privileged context and such activities ought to be conducted within an isolated execution environment, especially so when it comes to automated actions, according to the industry veteran. Mr. Young pointed to the example of Linux, often viewed as a particularly secure OS, as evidence that media parsing is a massive cybersecurity problem in this day and age.

Critical flaws in packages such as GhostScript, GStreamer, and ImageMagick prompted Linux developers to rethink media pursuing but Google has yet to learn that lesson. Since its very inception, Android relied on the Linux kernel.


A fundamental flaw of Android

Google's February security update addresses the issue but its global rollout is bound to be slow, as is always the case with the company's patches. The new firmware is currently only available on the Pixel-series handsets and a small number of devices launched as part of the Android One program which run what's essentially a stock version of the OS.

The bizarre PNG vulnerability affects all contemporary devices running Android 7.0 Nougat and newer versions of the software.


Tripwire Product Management VP, Tim Erlin, is concerned that "manufacturers may wait months to protect users from attackers" in this instance, which is a regular occurrence within the Android ecosystem. Even after the patch is optimized for specific devices and distributed, users are still expected to download and install such fixes themselves, which is another flaw in Google's cybersecurity plan, the executive concluded.

Baby steps

Project Treble managed to address some development issues associated with optimizing Android firmware builds for third-party devices but patches are still coming at an irregular rate for most users.


Assuming Alphabet's subsidiary is working on improving that state of affairs, it may have some news to announce come early may when Google I/O 2019 is scheduled to take place. This year's iteration of the developer conference will once again be held at the Shoreline Amphitheater in Mountain View, the location of Google's HQ campus.