Google's just-released April 2019 Android security updates address three remote code execution flaws affecting devices running the mobile OS.
As usual, Google's monthly Android update includes two patch levels that are immediately available to Google's own Pixel devices and have been shared with other Android device makers to distribute to their respective devices.
The 2019-04-01 patch level includes fixes for two critical remote code execution flaws affecting the Media framework, the Android media library that got a lot more attention after 2015's Stagefright bugs were found to affect virtually all Android devices and prompted Google to pressure Android vendors to deliver security patches more swiftly and regularly.
The Media framework bugs affect Android 7 and up and "could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process", according to Google's bulletin.
Samsung notes that its April security update includes fixes for the same two Media framework bugs, CVE-2019-2027 and CVE-2019-2028. The patch is available for Samsung's flagship Galaxy phones. Huawei is also delivering Google's Media framework fixes in its April update for flagship phones.
The remaining nine flaws are elevation-of-privilege and information-disclosure issues affecting Android, the worst of which could allow an installed malicious app to "execute arbitrary code within the context of a privileged process".
The second patch level, 2019-04-05, addresses four flaws in Android itself, including one critical remote code execution bug, as well as dozens of issues affecting Qualcomm components.
Google highlighted this week in its 2018 Android security report that end-user patching of its own Pixel devices is a huge success. At the end of 2018, over 95 percent of all Pixel 3 and Pixel 3 XL phones in the wild were running a security update from the past 90 days.
The company also notes that it has worked with device makers, mobile network operators, and system-on-chip vendors to boost the number of Android devices receiving regular security updates. Google says in Q4 2018 it had "84 percent more Android devices receiving a security update than in the same quarter the prior year".
Google is also helping Android device makers use a tool called SnoopSnitch, developed by Security Research Labs, whose researchers employ it to find out whether devices from major brands are missing patches from a patch level displayed to users.
The company found that even well-known vendors like HTC, Huawei, LG, and Motorola are missing on average three to four patches from each patch level, leaving consumers misinformed about the state of their device.
More on Android security
- DrainerBot infected apps play invisible videos to drain your data
- Android adware tricks ad networks into thinking it's an iPhone to make more money
- Android Security Bulletin March 2019: What you need to know TechRepublic
- Open-source LineageOS 16 based on Android 9.0 Pie improves privacy and security TechRepublic
- Gmail gave Google the confidence to take over the world CNET