Imagine you received an image on you Facebook Messenger. You didn’t even click on the image and the next thing you find your smartphone behaving oddly. Be sure it has been hacked!!! Researchers have now discovered that hackers can take over your smartphone using just an image using ExifInterface.
The previously-unknown critical flaw allows the hackers to deliver the hack hidden inside an innocuous-looking photo in a social media or chat app. The flaw is so critical that smartphone owner doesn’t even have to click on the evil photo: as soon as its data is parsed by the phone, it will let the remote hacker take over the smartphone or simply brick it.
Tim Strazzere, from security firm SentinelOne who uncovered the vulnerability says that the flaw resides in the way images used by certain Android apps parse the Exif data in an image. Any app using a slice of Android code – the Java object ExifInterface – is likely to be vulnerable to this kind of attack says Strazzere.
Speaking to Forbes‘ Thomas Fox-Brewster, Strazzere said that long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution.” Once they have achieved access to the victim’s Android smartphone they can install malware and take control of it without even the owner knowing about it.
Adding to the smartphone owners woes is that fact that this hack doesn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere said.
In terms of severity, Strazzere says that this flaw is similar to the Stagefright exploit discovered last year.
“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” The researcher wouldn’t reveal the names of the other, non-Google apps affected, other than to say they included “privacy-sensitive” tools.
Google has taken note of the severity of the flaw and issued a patch today but knowing how rarely Android patches percolate to the smartphone user, millions of Android smartphones way still be vulnerable to this flaw.