Do you have an Android device? Are you running Android Nougat, Oreo, or Pie (versions 7x, 8x, or 9x)? Do you play games on your phone?
If you answered yes to those questions, you may have a problem. It is a bigger problem given that there are more than a billion devices currently in service running one of those operating systems.
A carefully crafted, innocent-looking video file could be embedded in a game app and could compromise your system, thanks to a critical vulnerability.
The RCE (Remote Code Execution) vulnerability is being tracked at CVE-2019-2107. It wworks by finding a way to trick the user into playing a poisoned video via Android's native video player application.
Google moved quickly to address the issue and has already patched it, but there's a catch. Millions of Android devices are still waiting for that last security update. The bottleneck isn't Google in this case. It's the device manufacturers themselves that are dropping the ball.
As bad as the bug is, there is a potential silver lining. The vulnerability only works if the video is viewed directly on the device. If the video is received through an instant messaging app, or uploaded to a service like YouTube, the attack becomes utterly ineffective. That's because messaging and video hosting services both compress and re-encode media files, which has a distorting effect on the embedded malicious code.
In terms of avoiding the issue, there are three things you can do:
- Make sure your OS is up to date
- Don't download games or other apps from un-trusted third-party sources. Get them from the Google Play store or don't get them at all.
- Don't download videos from un-trusted sources, including links to videos or apps you might get in your email.
While taking the advice above won't completely eliminate your risk, it will dramatically reduce it.
Social Media