Skip to Content
Security & privacy

This security flaw allows hackers to take over an Android phone with an image

Security updates are supposed to protect you from software flaws that can put you in danger. We get these update notices periodically and we are always advised to install (legitimate) patches as soon as we can.

This practice can preempt software attacks that tend to exploit newly discovered bugs and weaknesses within a system.

But stop me if you’ve heard this one before – due to Android’s fragmentation, some people get their critical security updates earlier than everyone else. Some may get their updates months later, And worse, some Android gadgets may not even get newer updates at all! This could leave millions of Android owners vulnerable to the latest exploits for extended periods of time.

Take this new exploit, for example, it’s a critical vulnerability that exploits one of the most popular image formats in the world, but guess what? The fix not available for everyone yet.

Critical Android PNG image hack puts you at risk

A critical Android security flaw was recently revealed, and it’s a big one. Why? Well, it could allow an attacker to run malicious code and remotely hijack your smartphone by simply displaying a Portable Network Graphic (PNG) image file.

This means a hacker can trick you into opening a booby-trapped image sent through an email, text message or a messaging app and install malware without your knowledge.

Fun fact: PNG is a popular image compression format similar to JPEG or BMP. These images will have the .png extension.

The bug was discovered in phones running Android 7.0 (Nougat) through Android 9.0 (Pie) and was publicly disclosed in Google’s Android Security Bulletin dated Feb. 4.

Google describes the flaw as “a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”

Understandably, Google did not reveal further details about the bug other than it exists. However, it’s a relief to know that it has not been exploited (yet).

The fix is out, but it’s not available for everyone

The good news is that Google has rolled out a fix for this bug (among other things) with the February 2019 Android security update. Aside from the PNG image bug, the update also addresses 41 other issues and other vulnerabilities with assorted severity levels.

The bad news? It’s not available for all Android smartphones yet. As usual, it will roll out to Google’s own gadgets first – the Pixel-branded smartphones, the Pixel C tablet and the Essential Phone.

Now, if you own an Android gadget from other companies like Samsung, LG, Motorola, etc., you’ll have to wait for the manufacturer or your carrier to push out the update to your device (if it even gets it, at all.)

This leaves millions of Android smartphones vulnerable to the PNG image bug for weeks, months or even worse, maybe forever (if it’s an older model).

Haven’t received the update yet? Here’s how to protect yourself

Now that this vulnerability is publicly known, hackers will most likely try and exploit it and poke holes on vulnerable Android gadgets soon.

Although users with gadgets that are compatible with the security update have been notified, millions of vulnerable users with non-Google branded devices have not been informed yet.

To protect your unpatched Android gadget, refrain from downloading and viewing images (especially PNG files) from emails, text messages and chat messages from unknown people and sources.

Having strong security software on your gadget can also prevent malware from installing. Click here for more tips on how to detect and remove viruses from your Android gadget.

And finally, when the February 2019 Android security update becomes available to your device, apply it as soon as you can!

How to update your Android gadget

Whenever there’s a security patch available, Android gadgets normally update themselves automatically. To manually check, go to Settings >> scroll down, click on “About Phone” or “About Tablet.” (If you have a tabbed settings menu, then this will appear in the “general” section) >> click software update >> click install now, install overnight, or later.

Note: The steps may vary depending on your Android smartphone brand. These instructions are for stock Android gadgets from Google.

Additionally, keep regular backups of your data to protect against sudden data loss or ransomware.

Bonus: For cloud-based Android backups, we recommend using our sponsor IDrive. With IDrive, you can backup all your PCs, Macs and mobile devices into ONE account for one low cost! Go to and use promo code Kim to receive an exclusive offer.

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out