Do you use an Android Device? Well, Beware! You need to be more careful while playing any Video on your Smartphone or randomly download Videos anywhere from the internet or even any Video file downloaded through the received email. This is due to the fact that a specially crafted innocent looking Video file can many times compromise your Android device. Critical remote code execution vulnerability has been affecting over 1 billion devices running Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie).
The critical RCE vulnerability in question has been identified as CVE-2019-2107 and it resides in the Android media framework that ion case gets exploited could permit a remote attacker to execute the arbitrary code on a targeted device. In order to gain complete control of the device, all an attacker needs to keep in mind is to anyhow trick the user into playing a specially crafted Video file with the native Video player application of the Android device.
Although Google has already released a patch in the early days of this month in the bid to address this vulnerability, apparently, millions of the Android devices are still waiting for the latest Android security update that requires to be delivered by their respective device manufacturers. Google has described the vulnerability in its July Android Security Bulletin as the most severe vulnerability in this section [media framework] could enable a remote attacker using a specially created file to execute arbitrary code within the context of a privileged process. The fact that makes the issue more critical is that the Germany-based Android developer Marcin Kozlowski has uploaded a proof-of-concept for this attack on Github. Though the PoC that has been shared by Kozlowski, an HEVC encoded Video, only crashes the media player, it can help potential attackers develop their exploits to achieve RCE on targeted devices.
Nevertheless, it should also be noted that in case such malicious Videos are received through an instant messaging app such as the WhatsApp or Facebook Messenger or even uploaded on a service like YouTube or Twitter, the attack, however, will not work. This is because these services usually compress Videos and re-encode media files which distort the embedded-malicious code. The best way to protect yourself from this attack is to make sure that you update your mobile OS as soon as the latest patch is made available. In the meantime, you are also recommended to avoid downloading and playing random Videos from any untrusted sources and also follow the basic security and privacy practices.