Security

It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Malicious Bluetooth signals, too, it looks like

By Shaun Nichols

58 SHARE

Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices.

The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it. Thus an evil .PNG file opened by a chat app or email reader, say, could start running malware on the device with high-level privileges.

Two other bad holes we can see are in Android's handling of Bluetooth signals: a maliciously crafted transmission can execute arbitrary code on the device, according to Google.

"The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process," Team Google warned this week.

"We have had no reports of active customer exploitation or abuse of these newly reported issues."

Here's a summary of the security fixes in February's release bundle (bear in mind, only Android 7 to 9 receive security updates now):

Framework has three remote-code execution bugs, the worst of which can be pwned by a PNG file: CVE-2019-1986, affecting Android 9; CVE-2019-1987 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1988 affecting version 8.0, 8.1, 9.

Library has four flaws, the worst allowing code to run in a hacker-sent file when parsed: CVE-2017-17760 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5268 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5269 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9; and CVE-2017-18009 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

All are remote-code execution holes, except CVE-2017-18009, which discloses information.

System has eight flaws, the worst involving remote-code execution with Bluetooth transmissions: CVE-2019-1991 affection versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1992 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1993 affecting versions 8.0, 8.1, and 9; CVE-2019-1994 affecting versions 8.0, 8.1, and 9; CVE-2019-1995 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1996 affecting versions affecting 8.0, 8.1, and 9; CVE-2019-1997 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1998 affecting version 9.

CVE-2019-1991 and 1992 are remote-code execution flaws, 1993 and 1994 are elevation of privilege, 1995 to 1997 can be exploited to disclose sensitive information, and 1998 is a denial of service.

But wait, there's more

On top of this, there are four Linux kernel flaws in Android (CVE-2018-10879, CVE-2019-1999, CVE-2019-2000, CVE-2019-2001) that can at worst be exploited by a dodgy application to gain higher privileges and hijack the device.

Nvidia's drivers have four bugs (CVE-2018-6271, CVE-2018-6267, CVE-2018-6268, CVE-2016-6684) that can at worst be exploited by malicious programs commandeer a vulnerable device. And 19 security screw-ups in Qualcomm's drivers that range from high to critical severity.

If your Android device's security patch level is dated February 2019, then you're up to date. If not, then check for updates and install them – some may be available.

It's up to your device manufacturer, and mobile carrier if appropriate, to approve and pass on fixes. Certain Google devices, primarily Pixel and older Nexus devices, get them directly from the ad giant, and its Play services can in some cases push patches straight to gizmos.

Also, there are defenses built into Android, such as ASLR, that may thwart exploit attempts. So far, no malware or miscreants are said to be targeting the flaws. ®

Sign up to our NewsletterGet IT in your inbox daily

58 Comments

More from The Register

OK, Google. Music in 2019 isn't what it was, but Play nice, will ya?

Bug appears to hate tunes released this year

Is that rain or tears of frustration on your face? Google Cloud bursts, Console and Dataflow washed away for hours

Servers-for-hire shop takes nap for repairs

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Google Pay tells Euro users it has ditched UK for Ireland ahead of Brexit

As politicos struggle over deal, firms continue bracing for Britain's departure

Google Fiber experiment ends with Choc Factory paying Louisville $3.8m to clean up its mess

Payout will cover costs incurred for (not quite) burying cable

All your ETL pipeline are belong to us: Google snaps up Alooma

Aloogle? Goolooma? Take your pick

Google pholds! Just kidding. But Android Q Beta 2 drop supports those cool bendy mobes

Toying with UI, burstin' bubbles

FYI: Drone maker DJI's 'Get it on Google Play' website button definitely does not get the app from Google Play...

Updated Quadcopter slinger rudely palms folk off to .apk download

Latest Google+ flaw leads Chocolate Factory to shut down site early

52.5 million accounts at risk, tens of people are worried

Secret mic in Nest gear wasn't supposed to be a secret, says Google, we just forgot to tell anyone

+Comment Whoops! Oh gosh