Millions of Android devices are vulnerable to an attack that required nothing more than the user viewing a malicious .JPEG image, no further user interaction is required. The culprit is a software library in Google’s mobile operating system that read outs out EXIF data from JPEG files.
EXIF is a standard for storing meta data in photos and security researcher Tim Strazzere from SentinelOne found that the EXIF library in Android is vulnerable. This library is used in Gmail and Gchat and Strazzere could successfully attack unpatched devices running this software. Other apps using the same library are also vulnerable.
For the attack to be successful the user only has to open an email with the email. No further interaction such as opening the image or clicking on it is required. When the mail is opened the malicious code in the EXIF metadata of the JPEG image is executed.
Strazzere bricked some Android devices when he tried to perform his attack, so he had to reinstall the operating system. Some other devices got stuck in a bootloop. It’s possible that when the attack is used in the wild, users will end up with bricked or rebooting devices.
The issue has been fixed by Google with the latest security fix for Android but only a handful devices are updated yet. Some older Android devices might never receive the update.