Android versions between 7.0 (Nougat) and 9.0 (Pie) contained a major flaw that could allow attackers to hack the device with just a video. Tracked as CVE-2019-2107, the flaw is a remote code execution (RCE) vulnerability that lies in the Android media framework. As a result, a malware-embedded video when played on the native Android media player could allow attackers to execute arbitrary code and take over the device.
The flaw is patched by Google in its July security update, however, millions of devices are still vulnerable as they are yet to receive the major update from the manufacturers.
The big picture
A proof-of-concept (PoC) exploit by software developer Marcin Kozlowski illustrates the flaw being exploited with HEVC video.
“CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE,” said Kozlowski.
Users are advised not to download and play videos from unknown sources, and keep their Android devices updated with the latest version.