back to article It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices. The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, …

  1. Chris Gray 1
    Meh

    Errrrr.

    So my 5.0.1 device is fully safe then?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Errrrr.

      Oops, should have mentioned: Android 6 and below are no longer supported with security updates, sorry. V6 was cut off after August last year.

      C.

      1. Anonymous Coward
        Unhappy

        Re: Errrrr.

        I wonder what proportion of phones out there are in this position (mine is on 5.0.1 as well), and are being used for purposes such as mobile banking and two-factor authentication? Stating the obvious, I suppose, but I bet there is a significant number of people who are wide-open to abuse and don't realise it.

        Coincidentally, I note that Signal are rolling out an update that allows previewing of URLs in a message. I think I'll make sure that's turned off and carry on copying the URLs to view elsewhere.

        1. BinkyTheMagicPaperclip Silver badge

          Re: Errrrr.

          Lots. This is one reason why I will not install banking apps on my mobile.

          1. Anonymous Coward
            Anonymous Coward

            Re: Errrrr.

            My bank is obsoleting OTP tokens and forcing all customers to use or the banking app or SMS.

            When I complained they told me it was to increase the security....

            1. Rainer

              Re: Errrrr.

              > My bank is obsoleting OTP tokens and forcing all customers

              > to use or the banking app or SMS.

              Can't you visit the local branch?

              ;-)

              My bank is phasing out SMS in favour of their app (you need to point the mobile at the banking-screen, which shows some kind of flicker-code, IIRC, and then the mobile shows a code that you have to enter into the form on the website).

              SMS still works - but I've got no idea for how long.

              They have the older, original mobile app that works without SMS but seems to use some sort of private key on my phone for authentication.

              Apparently, because of the wide spread misuse of SIM-swaps, SMS is no longer considered secure.

              1. Michael Wojcik Silver badge

                Re: Errrrr.

                Can't you visit the local branch?

                Obviously use cases and bank affordances vary widely, but I've never done any banking on my phone. I do a fair bit online using a regular browser (locked down, non-privileged account, etc) from my personal laptop, and I do some via branches. My bank is a credit union, so it still invests pretty heavily in retail banking, including branches, unlike the for-profit banks.

                1. SkippyBing

                  Re: Errrrr.

                  Theoretically I could, but it's a five or six mile drive, then I have to pay for parking. Or I can do it from home. It's a tough call but generally I have better things to do than waste an hour of my weekend physically going to the bank. Double that in the week.

          2. jelabarre59

            Re: Errrrr.

            Lots. This is one reason why I will not install banking apps on my mobile.

            Same here. No store apps either. Mine is a phone, address book, and notepad (and Frozen Bubble for those times I'm stuck waiting someplace). And some music to play through VLC (screen is too small to use for video, or reading). Consdering my 5yr old Moto Droid is still on 4.4, probably a wise idea.

            1. Martin an gof Silver badge

              Re: Errrrr.

              Consdering my 5yr old Moto Droid is still on 4.4, probably a wise idea.

              LineageOS for Moto Droid Maserati

              M.

      2. Anonymous Coward
        Anonymous Coward

        Re: Errrrr.

        Bugger, mine's stuck on Android 6. The manufacturer seems to have decided not to bump my model to the next version, which is frustrating because that's the version of Android that it was sold with, so they must have stopped support for my model pretty early on.

  2. ThatOne Silver badge
    Unhappy

    Oh well

    Well, add those to the long list of patches and fixes any device older than 6 months will probably never get...

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh well

      Which isn't what I am seeing. Every device in my household is over 6 months old, and all are already running this patch.

      Namely:. Google Pixel 2, 2x Huawei mediapad m5 and a essential phone PH-1

      I guess you believe everything the clickbait internet tells you...

      1. DropBear

        Re: Oh well

        Fine, make it 7 months then...

        1. Tomislav

          Re: Oh well

          I have a 2+ years old OnePlus 3T that gets regular security patches and will even get an upgrade to Android 9.0

      2. Michael Wojcik Silver badge

        Re: Oh well

        Which isn't what I am seeing

        Oh, well, clearly your experience is definitive.

        If we're going to trade dueling anecdotes: I've had several Android devices, from well-known manufacturers, and only one has ever received OTA OS updates. And it's been a while since that one has.

        Google's reliance on carriers to distribute updates is a bullshit mechanism that has failed most users.

        1. Colin Ritman

          Re: Oh well

          Perhaps you should avoid £50 phones?

          Android supports over 10,000 different device models and form factors. Apple support a handful. There is no way this is Google's issue, it's 100% manufacturer and carrier, compounded by idiot consumers like yourself that don't vote with their wallet, and continue to buy tat, and cry about the tat not being well supported.

    2. Nick Ryan

      Re: Oh well

      Certainly anything from Samsung anyway. They have corporate amnesia about most of their devices from around six months from first release for many of them... But then I've yet to figure out quite they need so many models.

      Case in point: Samsung phone bought last November. Security patch level: 1 November 2018.

      1. doublelayer Silver badge

        Re: Oh well

        And, unfortunately, devices running on old security updates are very common. Again with the anecdotes, but a friend of mine has two tablets that she uses very frequently, both of which are still on version 4.3*. My only hope is that they are too old to run the newest malware. She is, at least, a sharp person who will probably spot most scams, but it is still unpleasant to think of those things online in 2019.

        *Neither received a single update of any kind.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh well

        Yet I have a Samsung phone of mid-2017 vintage which has patch level 1st Jan 2019, so in my experience they've been very good at pushing out updates.

        1. ShortLegs

          Re: Oh well

          Regrettably my S5 has had one security patch since I bought it. I'm not holding my breath.

          I know Samsung et al like customised ROMs so they can throw bloatware in it, but FFS, after x years of never using their "added-value apps" surely they can let go and allow Google to push out vanilla ROMs c/w patches.

      3. Korev Silver badge
        FAIL

        Re: Oh well

        Ditto for my MotoG 6 Plus...

    3. fuzzie
      Pint

      Call-out to Sony (was: Re: Oh well)

      Gotta give credit where's it's due. I have a Sony Xperia (XZ Premium from June 2017) and a week or so ago got the firmware update to the January 2019 security patch level. I started on Nougat/7.1, then upgraded to Oreo/8.0 and now on Pie/9. It never lagged security patches by more than about two months. My previous Sony handsets also got regular updates, up to and sometimes past two years from launch period.

      Sony also publishes publishes build instructions and newer kernels for devices long past their two year support cycle for third parties who want/need to make custom builds

      * https://developer.sony.com/develop/open-devices/get-started/supported-devices-and-functionality/

      * https://developer.sony.com/develop/open-devices/downloads/software-binaries

    4. zuckzuckgo

      Re: Oh well

      I have a oneplus3 which is a few years old and continues to receive updates. Last one was Dec12 2018, expect another by March if they keep up the pace. Cost less than half my wifes iPhone.

  3. Timo

    Great

    My aging Moto phone on 7.1.1 says that it's security patches are from June 2018!?!

    I bet it will be the 32nd of NEVER when the next set of security updates will be released. Might as well leave the barn door wide open.

    1. mrobaer

      Re: Great

      Mine are from Nov 2018, and indicated that the last *check* was mid December. It tells me, "The latest updates have already been installed." Gee thanks, Sprint.

      1. Anonymous Coward
        Anonymous Coward

        Re: Great

        Same here ( Moto G6+ ). It's Levano dragging its feet, not your MNO.

    2. Anonymous Coward
      Anonymous Coward

      Re: Great

      Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing.

      1st party phone is a Google pixel

      2nd party phone is a network SIM free phone

      3rd party is a network provider phone.

      You are at the mercy of 3 tiers of companies. There is clearly nothing wrong with Android if some models get these patches every month, and many do. Not just Google phones. Do your beef is with the lower tiers in your support pyramid.

      I would also get you are blissfully unaware of Google Enterprise program that mandates updates for 3 years and withing 90 days of Google's release. Only an idiot would shop for phones that aren't on that list when they cared about updates..

      All the indicators are that the YOU are the problem.. you are an uneducated plebs that didn't bother doing any research about how your phone is supported before buying it.

      1. doublelayer Silver badge

        Re: Great

        "Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."

        Thanks for the compliment.

        "1st party phone is a Google pixel"

        That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.

        "2nd party phone is a network SIM free phone"

        Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.

        "There is clearly nothing wrong with Android if some models get these patches every month, and many do."

        Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:

        1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.

        2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.

        3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.

        4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.

        A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.

        1. DryBones

          Re: Great

          Nice word dump. Hope you feel better now, I always do after a sit down.

          People keep buying Samsung et al, companies with a horrible record of prompt updates, because ooh shiny shiny. It is a computer, they need to put patching higher on their list of priorities. OnePlus, Nokia, refurbed Google devices, all are both affordable and frequently updated.

          Companies shift their resources, if longevity is important you must actually make it a priority in your buying decision and keep in mind nothing lasts forever.

      2. Paul Martin

        Re: Great

        Google Nexus 5X stopped getting security updates after December 2018.

      3. Claverhouse

        Re: Great

        Screaming abuse is a well-known motivational tool that not only works, but improves morale.

    3. Saigua

      Re: Great (LineageOS, et al.)

      So why would you not move to a nougaty or newer Lineage OS (take a los?) or take advantage of your device's maturity to freshen its loadout from a well-fuzzed bsd source? No current maintainer, or more like losing the back screen (driver?)

  4. Dan 55 Silver badge

    Two posts will be along shortly...

    1) I've got an unlocked Pixel phone so I'm alright Jack (for two whole years).

    2) It's easy, all you need to do is root it and install Lineage (an pray the developer is competent and doesn't lose interest).

    1. Anonymous Coward
      Anonymous Coward

      Re: Two posts will be along shortly...

      How about the posts that if apple licensed iOS to all and sundry and had an open bug tracker that any clickbait hack could read and do a lazy copy and paste from every month, the situation would be exactly the same..

  5. Anonymous Coward
    Anonymous Coward

    LineageOS ?

    Let's see if this gets patched .... i'm running an evaluation on the wifes old MOTO-G which dropped off Tesco and Motorolas support radar years ago.

  6. Aladdin Sane

    Papua New Guinea?

    1. W.S.Gosset Silver badge

      Rife with viruses.

  7. naive

    Display images from the web with root privilege in some picture browser ?

    Yeah right, they never learn. It is the same reason all this Adobe crap became such a never ending security drama on windows.

  8. fnusnu

    It would be extremely helpful if the message you get when you click on System Updates was 'Your device is no longer supported', rather than 'Your system is up to date' if it no longer gets updates.

    1. Tigra 07
      Meh

      Mines different...

      Settings > Software & Device Info > Software Version > "No one likes you, you're probably adopted, and it's your fault Dad left and never came back"

      1. Scunner

        Re: Mines different...

        "Hey sis... have you been messing with the ROM on my phone again?"

        1. BebopWeBop

          Re: Mines different...

          Hey sis I have modified the ROM on your phone - luv small Bruvver

    2. ThatOne Silver badge
      Devil

      > if the message you get when you click on System Updates was 'Your device is no longer supported'

      Yes, and call centers didn't pretend your call is very important to them. Unfortunately the convention is to not trouble the victim, it deteriorates the meat...

  9. Anonymous Coward
    Anonymous Coward

    Holy sheep

    This is what happened to me whilst in Redhill town centre. I had my bluetooth on hooked to the car, and then my phone said i was receiving a file called "nursery schedule.png" but my phone's antivirus probably blocked the transfer and the transfer failed and disappeared. I have a 2018 huawei p smart on emui 8.0.... I thought it was a bit shady...

    1. Anonymous Coward
      Anonymous Coward

      Re: Holy sheep

      of course that happened....

      Did you even bother to read the security bulltin before making that horse crap up?

  10. jelabarre59

    breaking

    So can we use this exploit ourselves to jailbreak otherwise nailed-shut devices? Like maybe to install a bootloader so you can install a current and supported version of LineageOS on it?

    1. Norman Nescio

      Re: useful jailbreak?

      So can we use this exploit ourselves to jailbreak otherwise nailed-shut devices? Like maybe to install a bootloader so you can install a current and supported version of LineageOS on it?

      I would like that, as I have a 'landfill tablet', abandoned by its retailer, that I would like to bring up to date. It is currently running Android 5.1 (Lollipop) with Linux kernel version 3.10.62

      Sadly, it is probably using all sorts of nasty binary firmware blobs in the hardware drivers, which will be incompatible with any reasonable update. One of the benefits of Project Treble Bettershark,Ars Technica is meant to be reducing such problems in future.

  11. Anonymous Coward
    Anonymous Coward

    Stop bug hunting

    You're making googie have to patch half of our backdoors.

    Regards,

    The NSA

    Negligent Spying Association.

  12. Mystic Megabyte

    Suggestions please

    Maybe it's time to retire my 1st. gen Moto G even though it is still working fine. I wouldn't do banking on any phone but I don't want it dialling premium rate numbers.

    Any recommendations for a phone that's less than about £150 would be welcome. When I get a new one I'll try loading Lineage on the old one.

    1. Steve Graham

      Re: Suggestions please

      My Nokia 5 has just updated itself to Android 9, with January 2019 security updates. I expect the February update will be along soon.

      It came with Android 7 installed and updated to 8.1 previously. There's a slightly improved model now, but I think it's still around £150, SIM-free.

  13. Giles Jones Gold badge

    I remember a libpng bug being used to unlock the Sony PSP back in the day.

  14. Fever905

    Windows 7 anyone?

    Next thing you're going to tell us is Windows 7 is no longer receiving security updates! Yet a lot of people (developers?) do not want to switch to Windows 10 (myself included)..

  15. Anonymous Coward
    Facepalm

    Maliciously image could execute code

    The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it.”

    Why is this kind of thing still happening in the year of Ano Domini 2019, Anno Hegirae 1440, Common Era 2019.

  16. Anonymous Coward
    Anonymous Coward

    Dammit

    Byebye Note 4.

    Guess its not worth fixing now, as it stopped getting updates back last August.

    RIP

  17. Sleep deprived
    Thumb Down

    My Samsung Tab 8 is at 7.1.1

    ...but with last security fix in August 2017. Why bother look for bugs if devices don't get patched by manufacturers and users cannot apply pressure themselves?

    1. Sleep deprived

      Re: My Samsung Tab 8 is at 7.1.1

      Apply patches I meant to write.

  18. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    I wonder when LineageOS will get patched

  19. Anonymous Coward
    Anonymous Coward

    https://apnigiftshop.com/best-earphones-under-1000/

    SMS still works - however, I have no idea for the length of time. Apparently, as a result of the broad spread manipulation of SIM-swaps, SMS is now not considered stable. My bank is currently phasing-out SMS in preference of these program (you want to tip that the phone at the banking-screen, which shows some type of flicker-code, IIRC, and the phone shows a code you must input in the shape on your web site ). They've the old, original cell program which works without SMS however generally appears to make use of some type of private key in my mobile for authentication.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like