Security

It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Malicious Bluetooth signals, too, it looks like


Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices.

The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it. Thus an evil .PNG file opened by a chat app or email reader, say, could start running malware on the device with high-level privileges.

Two other bad holes we can see are in Android's handling of Bluetooth signals: a maliciously crafted transmission can execute arbitrary code on the device, according to Google.

"The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process," Team Google warned this week.

"We have had no reports of active customer exploitation or abuse of these newly reported issues."

Here's a summary of the security fixes in February's release bundle (bear in mind, only Android 7 to 9 receive security updates now):

Framework has three remote-code execution bugs, the worst of which can be pwned by a PNG file: CVE-2019-1986, affecting Android 9; CVE-2019-1987 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1988 affecting version 8.0, 8.1, 9.

Library has four flaws, the worst allowing code to run in a hacker-sent file when parsed: CVE-2017-17760 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5268 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5269 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9; and CVE-2017-18009 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

All are remote-code execution holes, except CVE-2017-18009, which discloses information.

System has eight flaws, the worst involving remote-code execution with Bluetooth transmissions: CVE-2019-1991 affection versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1992 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1993 affecting versions 8.0, 8.1, and 9; CVE-2019-1994 affecting versions 8.0, 8.1, and 9; CVE-2019-1995 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1996 affecting versions affecting 8.0, 8.1, and 9; CVE-2019-1997 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1998 affecting version 9.

CVE-2019-1991 and 1992 are remote-code execution flaws, 1993 and 1994 are elevation of privilege, 1995 to 1997 can be exploited to disclose sensitive information, and 1998 is a denial of service.

But wait, there's more

On top of this, there are four Linux kernel flaws in Android (CVE-2018-10879, CVE-2019-1999, CVE-2019-2000, CVE-2019-2001) that can at worst be exploited by a dodgy application to gain higher privileges and hijack the device.

Nvidia's drivers have four bugs (CVE-2018-6271, CVE-2018-6267, CVE-2018-6268, CVE-2016-6684) that can at worst be exploited by malicious programs commandeer a vulnerable device. And 19 security screw-ups in Qualcomm's drivers that range from high to critical severity.

If your Android device's security patch level is dated February 2019, then you're up to date. If not, then check for updates and install them – some may be available.

It's up to your device manufacturer, and mobile carrier if appropriate, to approve and pass on fixes. Certain Google devices, primarily Pixel and older Nexus devices, get them directly from the ad giant, and its Play services can in some cases push patches straight to gizmos.

Also, there are defenses built into Android, such as ASLR, that may thwart exploit attempts. So far, no malware or miscreants are said to be targeting the flaws. ®

Send us news
59 Comments
Get our Security newsletter

Keep Reading

India launches Google antitrust probe and Google mostly shrugs it off

The usual stuff in the spotlight: Google Pay crowding out rivals, search algo bias

We've got some really bad news about Apple's privacy measures, Google tells iOS app devs: It'll hurt your Google ad revenue

Chocolate Factory insists it's working on its own info usage labels, too

Kick Google all you like, Mozilla tells US government, so long as we keep getting our Google-bucks

In case you've forgotten: Google sends Mozilla about $400m a year

Google Cloud forges new passage to India with Tata Communications

Azure and AWS already have same cloud deal, but hey - new friends!

Developer beta for Huawei's Google-free HarmonyOS is here – but you may need to Google Translate the docs

It's all in Chinese if you fancy a gander

Cutting the ties: European hosting provider OVHCloud to offer Google Anthos, no Google account needed

Full Euro data sovereignty, promises cloud company

Google allows 15 more nations to offer gambling in the Play store

India gets special attention with new rules for apps that tie loyalty and prize draws to payments

Epic Games files competition lawsuit against Google in the UK over Fortnite's ejection from Play Store

Epic by name, epic (lawsuit) by nature

Oops: Google admits failing to wipe all Android apps with location-selling X-Mode SDK from its Play Store

For best results, take a second dose of privacy cleanse

Fedora's Chromium maintainer suggests switching to Firefox as Google yanks features in favour of Chrome

'They're not closing a security hole, they're just requiring that everyone use Chrome'

Tech Resources

8 Biggest Mistakes IT Practitioners Make And How To Avoid Them

This guide outlines the 8 biggest mistakes IT practitioners make and provides solutions

Expediting IT in the Wake of Ever-increasing Demands and Problematic Talent Shortages

IT innovation comes in waves. Cloud IT disrupted the last decade, and the next wave of disruption will likely center on intelligent infrastructure.

Incident Response Guide

What’s the best way to stop a cyberattack from turning into a full breach? Prepare in advance.

Keeping a Security Mindset: A Checklist for Working Remotely

Safeguarded work stations—whether in office or at home—translate to secure data and minimal interruptions. Here are a few steps to keeping your information safe and practicing good cybersecurity hygiene while working from home.