If you are an Android user you should know that there is a change an innocuous image on social media or a messaging application to completely compromise your mobile phone.
The vulnerability, dubbed CVE-2016-3862, is a remote code execution flaw in the Mediaserver, which affects the way images, used by certain Android applications, parsed the Exif data included in them.
The last set of vulnerabilities that Google patched were the Quadrooter flaw, threatening more than 9,000 million devices worldwide, and the critical zero-day, allowing crooks to deliver their hack inside an image.
“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.” – reads Wikipedia.
The security researcher from SentinelOne, Tim Strazzere, was the one to uncover this flaw. He warned that the bug could easily be leveraged by attackers to take complete control over targeted devices or crash them without the victims even realizing.
“Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.” -explained Forbes.
There is no need for the victim to follow a link or to click on a malevolent image as the CVE-2016-3862 vulnerability is triggered as soon as its data is parsed by the device.
“The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered.” – Strazzere explained.
This means that only one photo, which contains the generic exploit, is able to quietly infect millions of Android users. This attacking technique resembles the last year`s Stagefright exploits which allowed the crooks to hijack Android devices with just a text message without the owners even knowing.
“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” –continues Strazzere.
Strazzere created the exploits for the affected devices and tested them on Gmail, Gchat and many other social media and messaging apps. The researcher didn’t announce which other apps are also affected by the CVE-2016-3862 bug but he revealed that “privacy-sensitive” tools are also on the list of threatened pieces of software. Any mobile application which applies the Android Java object ExifInterface code is likely to be at risk of the flaw.
The CVE-2016-3862 vulnerability infects devices with Android versions from 4.4.4 to 6.0.1. A patch for this bug is already available but users have to make sure their phones have actually applied it as the patch management depends on handset manufacturers and carriers.
So, if users` Android OSes are not up to date, there is a high chance for them to fall victims to the image-based infection.
Strazzere received $4,000 as a reward from Google for discovering this bug. However, when he announced he would donate everything to Girls Garage, a program of the nonprofit Project H Design for girls aged 9-13, Google added another $4,000.
