Android OS version 7.0 and 9.0 (Nougat, Oreo, or Pie)
An Attacker could perform remote code execution using the vulnerability (CVE-2019-2107).
According to the advisory a specially crafted innocuous-looking video file can compromise android smartphone. The vulnerability resides in the android media framework and it could allow a remote attacker to execute arbitrary code on a targeted device.
To gain the access, attacker needs to trick the user into playing a specially crafted video file with Android's native video player application.
However, it should be noted that if the video received though instant messaging applications like WhatsApp or Facebook Messanger or uploaded on a service like YouTube or Twitter, the attack will not work. But the most worrying part is that Germany-based Android developer Marchin Kozlowski has uploaded a proof-of-concept for this type of attack on Github.
✦ Execute arbitrary code
✦ Data modifications
✦ Private information disclosure
✦ To protect from this attack is to update the mobile operating system as soon as the latest patch become available. At the same time avoid downloading and playing random videos from untrusted sources.
The information provided herein is on "as is" basis, without warranty of any kind.