The critical RCE flaw ( CVE-2019-2107 ) in question resides in the Android Media framework that is used for media playback. The vulnerability if exploited allows a hacker to launch a remote attack using a specially created file to execute arbitrary code on the target smartphone. The attacker simply needs to encourage the user to play a specially crafted malicious video file via the native Android video player, or a 3rd party video app that uses the Android Media framework. He can then with a payload, get an elevation of privileges, and then complete control of the device. Earlier this month, Google released a security update for this critical vulnerability. “The most severe vulnerability in this section [media framework] could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google described the vulnerability in its July Android Security Bulletin. However, there are millions of Android smartphones that are still vulnerable, as they are yet to receive the latest security update. To make matters worse, Marcin Kozlowski, a German-based Android developer, has uploaded a proof-of-concept for this attack on GitHub, which makes it possible to crash devices via a video file. The PoC also includes details on how to conduct RCE on LineageOS and Samsung phones. While the PoC (an HEVC encoded video) shared by Kozlowski only crashes the media player, the researcher warns that it is possible to execute arbitrary code on targeted devices with a correctly prepared video. What is worth noting that the attack doesn’t work if such malicious videos are received via social media platforms like Twitter, WhatsApp, YouTube or Messenger, as these services before sending usually compress videos and re-encode media files, which alters the embedded-malicious code. Therefore, users are advised to avoid downloading and playing random videos from unknown or untrusted sources. Users are also recommended to install the latest Android security update as soon as a patch is available.