It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices.

The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it. Thus an evil .PNG file opened by a chat app or email reader, say, could start running malware on the device with high-level privileges.

Two other bad holes we can see are in Android's handling of Bluetooth signals: a maliciously crafted transmission can execute arbitrary code on the device, according to Google.

"The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process," Team Google warned this week.

"We have had no reports of active customer exploitation or abuse of these newly reported issues."

Here's a summary of the security fixes in February's release bundle (bear in mind, only Android 7 to 9 receive security updates now):

Framework has three remote-code execution bugs, the worst of which can be pwned by a PNG file: CVE-2019-1986, affecting Android 9; CVE-2019-1987 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1988 affecting version 8.0, 8.1, 9.

Library has four flaws, the worst allowing code to run in a hacker-sent file when parsed: CVE-2017-17760 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5268 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5269 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9; and CVE-2017-18009 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

All are remote-code execution holes, except CVE-2017-18009, which discloses information.

System has eight flaws, the worst involving remote-code execution with Bluetooth transmissions: CVE-2019-1991 affection versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1992 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1993 affecting versions 8.0, 8.1, and 9; CVE-2019-1994 affecting versions 8.0, 8.1, and 9; CVE-2019-1995 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1996 affecting versions affecting 8.0, 8.1, and 9; CVE-2019-1997 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1998 affecting version 9.

CVE-2019-1991 and 1992 are remote-code execution flaws, 1993 and 1994 are elevation of privilege, 1995 to 1997 can be exploited to disclose sensitive information, and 1998 is a denial of service.

But wait, there's more

On top of this, there are four Linux kernel flaws in Android (CVE-2018-10879, CVE-2019-1999, CVE-2019-2000, CVE-2019-2001) that can at worst be exploited by a dodgy application to gain higher privileges and hijack the device.

Nvidia's drivers have four bugs (CVE-2018-6271, CVE-2018-6267, CVE-2018-6268, CVE-2016-6684) that can at worst be exploited by malicious programs commandeer a vulnerable device. And 19 security screw-ups in Qualcomm's drivers that range from high to critical severity.

If your Android device's security patch level is dated February 2019, then you're up to date. If not, then check for updates and install them – some may be available.

It's up to your device manufacturer, and mobile carrier if appropriate, to approve and pass on fixes. Certain Google devices, primarily Pixel and older Nexus devices, get them directly from the ad giant, and its Play services can in some cases push patches straight to gizmos.

Also, there are defenses built into Android, such as ASLR, that may thwart exploit attempts. So far, no malware or miscreants are said to be targeting the flaws. ®