Critical Android Vulnerability Allows Device Access via Video File

A critical vulnerability has been discovered in the Android operating system, allowing attackers to gain access to user devices. The vulnerability (CVE-2019-2107) affects Android versions 7.0 to 9.0 (Nougat, Oreo, and Pie) and enables remote code execution without requiring additional privileges. An exploit for this vulnerability was published on GitHub by researcher Marcin Kozlowski.

According to Kozlowski, an attacker can compromise a device by sending a malicious video file, for example, via email (the Gmail app can load videos using the standard Android video player). If the user opens the file, the attacker may gain access to the victim’s device.

Successful exploitation of the vulnerability is possible under one condition-the user must download the malicious video file in its original, unaltered form. The attack is reportedly ineffective if the malicious file is sent through services that re-encode videos, such as YouTube, WhatsApp, and others.

It is currently unknown exactly how many devices are at risk. According to Google, as of May 2019, there were more than 2.5 billion active Android phones. Of these, nearly 58% (about 1.5 billion) run vulnerable versions of the OS.

Google has already released an update that fixes the vulnerability.

As a reminder, in early July 2019, it was reported that criminals could manipulate media files sent by users through WhatsApp and Telegram messengers. The issue is related to the fact that the Android mobile operating system allows apps to access files in external storage.