This blog post provides a really interesting explanation of how an Android malware uses base64-encoded code embedded in an image file to drop malicious code that installs an APK for a banker that can steal Android user credentials.
This is very fascinating, because it reminds me of a ten-year old BSG fanfiction that attempts to explain how Cylons are able to hack everybody- they embed malicious code in transmissions that are picked up by sensor software. Though I suppose that a top-of-the-line warship wouldn't be running Android in the far future.
You are confused about how his works. This is a two-stage trojan dropper. First it has to convince you to run a small, harmless program that doesn't require admin rights and only downloads a harmless image file from the internet, and won't trigger any antivirus programs because it's not doing anything malicious yet. Then it takes the "harmless" image file and transforms it into a virus, but because it's already on your computer\phone it may not be detected by antivirus programs that only scan things downloaded from the internet.
But the first step is for you to run the first stage, it can't actually just execute from a PNG file.
On the other hand, Stagefright could execute from just a malicious video file. On the other other hand, Stagefright was a very specific bug in android, that was only found after pouring over the source-code for years.
In short, no you can't hack any random system, even ones you've never seen before, using a single payload.
