- Receiving and opening a video on your Android device could lead to an RCE scenario.
- People are advised to update their devices to get the latest July security update if available.
- The rest are advised to refrain from opening video files received via email or chat apps like WhatsApp.
Simply playing a specially crafted malicious video on your Android device could be enough to have your smartphone or tablet compromised. The vulnerability that is exploited in this case carried the identifier “CVE-2019-2107”, and hackers already love it as it constitutes an easy way to allow them to execute arbitrary code on a target device. Not many people would think that merely playing a video could compromise them, so sending videos through email or chat apps is a way to reach to a wide audience of possible victims.
From Android 7.0 to Android 9.0, there are more than 1 billion devices out there that are vulnerable to the particular exploit, and if you’re not using a Google Pixel or an Android One device that has already received the July 2019 Android Security Update, you are most probably included in the list. For the exploitation to work, the victim will have to play the malicious video using Android’s native video player app, or a 3rd party video app that does use of the Android media framework. Unfortunately, there’s already a proof of concept code out there, so attackers can already grab it and get their campaigns started. The researcher (Marcin Kozlowski) who published the PoC has even given details about how to conduct RCE (remote code execution) on LineageOS and Samsung phones.
Google provides the following characterization for the particular flaw in their most recent security bulletin: “The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” Of course, the flaw is marked as critical. The particular problem reminds us of a similar bug that plagued Android back in February, but instead of a video file, the attackers would use a specially crafted PNG image.
It is important to clarify that if an attacker tries to compromise people’s devices by uploading the malicious video on YouTube or other video hosting services the exploit won’t work. The only way to succeed is to convince the victim to play the video on their device, so if you receive a video file via email, or through instant messaging apps like the Messenger or WhatsApp, do not try to open it. If you absolutely want to see what the video is or need to open it anyway, you can only do so safely by first converting it and re-encoding the video file by using a specialized transcoder tool like HandBrake.
Have you received the July Security patch? Is your vendor quick to deliver the latest security updates by Google? Let us know in the comments below, and help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.