Your Android device could get hacked by playing a video from an unknown source or via email. A report from The Hacker News shows that a Remote Code Execution (RCE) vulnerability (CVE-2019-2107) exists in the Android Media Framework. The only versions of the Operating System that are affected by this vulnerability are the latest ones. Meaning, Android Nougat (7.0), Oreo (8.0) and Pie (9.0) are affected by this malicious code. With this RCE vulnerability, the hacker is able to gain control of a smartphone or Android device.
The way it works is through a video. The only way the hacker can gain access to an Android device is if the user watches a video from Android’s native video player application. This triggers a code embedded in the video. When this code is executed, the remote hacker is granted full access and control over the Android device.
It is important to note that this can only happen if you download or play the video from an unknown source or via email. Meaning that, if you watch the video on social media websites, like Youtube and Twitter; or if you receive the video from apps like WhatsApp or Facebook messenger, your device will not be affected or compromised. The reason is that these sites and apps compress videos and re-encode any type of media file that is uploaded and sent through them. Once the process is complete, the malicious code gets distorted and is rendered useless.
This security problem has already been addressed by Google. Since the beginning of the month, the company has released a patch for this security vulnerability. However, not all devices have been updated, since some of them have to wait for their respective manufacturers to release the security update. Leaving millions of Android devices vulnerable until each manufacturer customizes this patch to fit each individual platform.
If you own a Google Pixel device, such as Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL, chances are you don’t have to worry about this security problem, assuming you have downloaded the July update. If not, it’s recommended that you do it, given the fact that Google fixed a total of 33 security vulnerabilities, along with some bug fixes and improvements to “OK Google” and music detection.
For every other Android user out there who doesn’t own a Google Pixel smartphone, you have to wait until your respective manufacturer releases the security update. It is recommended that you update your Android Operating System as soon as this patch becomes available for you.
In the meantime, it’s recommended that you avoid playing or downloading any type of video from an unreliable website on the internet, as well as to avoid downloading videos that you receive through your email. And overall, be careful and cautious with your media consumption on the internet.
Until this problem is fixed, remember to use trusted sites like Youtube, Facebook, and Twitter to watch videos. And it’s better to stay away from media files, as well as links to unknown websites, sent by strangers.