Opening The Wrong PNG Image Can Wreak Havoc on Your Android Device

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Google has rolled out the February Android Security Update, and the relevant bulletin contains the revelation of an alarming vulnerability that allows a remote attacker to execute arbitrary code within the context of a privileged process once the victim has simply opened a PNG image file. The particular vulnerability is affecting the framework, and it is classified as “critical”, while it affects all Android versions between 7.0 and 9.0.

These types of attack through concealed code execution are the most dangerous because opening an image file is generally considered safe by most people. However, image files can potentially contain hidden code in them, so when opened, the code executes and the damage is done. Google is characterizing the PNG that takes advantage of the vulnerability as “specially crafted”, so this could mean steganography techniques that make it possible to hide code in the image file. The vulnerabilities that concern this issue are numbered as CVE-2019-1986, CVE-2019-1987, CVE-2019-1988.

Until you receive the February patch, PNG images that come through chats or emails, especially from people you don’t know should not be opened. Curiosity is a driver, but merely opening the image file will be enough for the Pandora’s box to open. One indicator that an image contains hidden code in it is when it has a surprisingly larger size than it should have, considering its resolution and file type. If you want to stay on the safe side, avoid all PNG images entirely.

Other critical-severity vulnerabilities that were plugged in this February update include a transmission-based code execution that targets the system (CVE-2019-1991 and CVE-2019-1992), a privileged code execution that aims NVIDIA components (CVE-2018-6271), a Qualcomm component foible focusing on the bootloader (CVE-2018-11262), and another four critical weaknesses that concern proprietary components of Qualcomm (CVE-2018-11289, CVE-2018-11820, CVE-2018-11938, CVE-2018-11945). Along with them, the update patches another 30 high-severity vulnerabilities, and one moderate.

The Android security team has stated that no incidents of taking advantage of the above security vulnerabilities have been reported and that all of their partners have been informed of the issues a month before their publication by Google.

Is your phone getting Android security updates quick enough? Let us know in the comments below, and don’t hesitate to like and share this story through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: