A brand new “malware” for Android just appeared! This time, it’s in the form of an image. Yea, it’s a seemingly nice view of the lake with an island in the middle. However, once you set this image as your background, you’ll be crying.
A quick update – we made a video version summarizing the entire saga on how and why this happened. We know all the answers now.
This message was first brought up by Ice Universe, and he quickly said that it only happens on Samsung phones. Throughout my personal tests, it happened to a new Samsung mid-range smartphone but not the Galaxy Note8.
After using this image as a wallpaper, it prevents the phone from entering into the lock screen. Then, the phone enters a bootloop as fail-safe mechanism, which just repeats the whole bootloop a few more times. Eventually, it’ll enter the recovery menu.
— Sebastian (@seb3153) May 31, 2020
If you eventually end up in safe mode and manage to change the wallpaper away, then you’re safe. Else, safe mode isn’t going to help you out on anything. The only thing that can be done now is factory reset your phone. Yes, all data will be wiped away – but at least the phone works after that.
We have asked around what’s going on while we’re doing investigations on our own. From what we know, this image is embedded with some specific codes to cause this issue. Opening up the image using a hex editor showed that it does have metadata stating “Google Inc. 2016” and “Google Skia”.
Currently, this exploit happened on Android 10 devices regardless of brand.
Keep checking back as we’ll be updating this page when more information comes out.
UPDATE: The image’s color changes when it is used as a wallpaper and after few reboots
When I first saw the image, the colors were very vivid. Then after setting it as the wallpaper (which you should not do), then the image turned dimmer – especially the sky and clouds.
We’re still unsure why this is happening, but downloading the image from social media seems to be fine since the compression on Facebook and Twitter is horrendous, thus saving us from this “malware image”.
When I tried to upload the original image (left) to Weibo, I found that its color to change (right). At this time, the image became harmless, but when uploaded to twitter, the original image still does not change color, still harmful. So I suspect it may be related to color gamut pic.twitter.com/0A1PlUqlpv
— Ice universe (@UniverseIce) May 31, 2020
UPDATE: The image works via metadata
It seems like we have discovered the cause of this issue. Ice Universe is right – the whole issue comes its color gamut. From what we discovered, the whole thing works because of its metadata.
We used a simple image metadata stripper and removed 8078 bytes of data.
After that, we viewed the image with its metadata stripped – and here is the comparison between the two images. That 8078 bytes of removed data caused the colors of the image to shift by a lot!
The full dynamic range of the picture (hence the bright colors of the original image) can only be viewed with certain apps. Even on Windows PC, the default Windows 10 Photos app is unable to display the bright colors. In Photoshop, it can.
It seems like we have the answer to how it is happening – but why is it happening? 🤔
FINAL UPDATE: We found out the issue
After talking with a few industry experts and looking at the recovery log, we are finally able to determine the cause of this bootloop. From the looks of it, it created and overflow when the image is used. To “recover” from this overflow, the Android OS just restarts the UI. But the overflow happens every time – so it just continues to restart the UI until eventually the system gave up and restart the entire device, and eventually leading to the bootloop.
We took the original image and looked at the ICC profile (color profile) and found out that this wallpaper is using the Google Skia color profile. I’m not sure why an image with Google Skia’s color profile isn’t functioning properly with Google’s own mobile OS.
Either way, removing the ICC profile means degradation of the overall colors, but it does prevent the whole bootloop from happening.