The file may be specially designed to trigger the malicious code when the user opens it (viewed locally) on its device (locally or through a received link).
The vulnerability associated with the PNG bug can be traced as CVE-2019-1986, CVE-2019-1987, CVE-2019-1988.
CVE-2019-1986 – Uninitialized errors in SkPngCodec
CVE-2019-1987 – heap buffer overflow
CVE-2019-1988 – Error decoding JCS_RGB JPEG files