If you’re running a Google Pixel handset, your phone is safe from a security hole that could let a PNG file completely wreck the system. If you’re using nearly any other Android handset, then your phone is vulnerable. This is a problem.
Google recently released the February security update for Pixel devices, which closes a hole that would allow malicious PNG files to “execute arbitrary code within the context of a privileged process.” In simpler terms, the code can run at a high level and steal your info—all you need to do is open the file. That’s it.
That means any PNG that comes to you—be it in an email, a messaging client, or even over MMS—could potentially hijack the system and steal valuable data. That is, on any phone that isn’t a Pixel, because they’re protected now. Samsung, LG, OnePlus, and most other manufacturers’ handsets are still susceptible to this bug. We have to start holding manufacturers to a higher standard when it comes to security updates. Period.
I currently have four Android phones within arm’s reach: Pixel 2 XL, Pixel 1, Samsung Galaxy S9, and OnePlus 6T. The two Pixels are patched and protected with the February update, but the S9 and 6T are only on the December security patches. That means any newer vulnerabilities—like this PNG one, for example—are unpatched on both of these handsets. Considering that Samsung Galaxy devices are among the most popular phones on the planet, this is troubling.
But it’s not just an issue because of the current problem. This is a dynamic problem that is a constant concern—or at least it should be. As long as there are new vulnerabilities, delayed security updates will always be an issue. So, to put that in simpler terms: this will always be an issue because vulnerabilities are guaranteed.
While Android “fragmentation” has long been an issue (since the platform was introduced, essentially) when it comes to full OS updates, this should not apply to security updates. These are not “new features are cool, and I want them” updates, these are crucial data-protecting updates. Regardless of whether they’re small or not, this isn’t something that should be overlooked by any consumer. Ever.
Currently, manufacturers are doing a terrible job of protecting their users, full stop. While not getting full OS updates (or even point releases) is annoying at best, not getting security updates is unacceptable. It sends a message that can’t be ignored: it says that your phone manufacturer doesn’t care about your data. Your info isn’t important enough for them to protect.
Security updates aren’t huge like full OS updates or even point releases. They’re released monthly by Google, so they’re much smaller and easier to bake into the system—even for third-party manufacturers. Again, there’s no real excuse not to make this a priority.