Security

It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Malicious Bluetooth signals, too, it looks like

By Shaun Nichols

58 SHARE

Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices.

The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it. Thus an evil .PNG file opened by a chat app or email reader, say, could start running malware on the device with high-level privileges.

Two other bad holes we can see are in Android's handling of Bluetooth signals: a maliciously crafted transmission can execute arbitrary code on the device, according to Google.

"The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process," Team Google warned this week.

"We have had no reports of active customer exploitation or abuse of these newly reported issues."

Here's a summary of the security fixes in February's release bundle (bear in mind, only Android 7 to 9 receive security updates now):

Framework has three remote-code execution bugs, the worst of which can be pwned by a PNG file: CVE-2019-1986, affecting Android 9; CVE-2019-1987 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1988 affecting version 8.0, 8.1, 9.

Library has four flaws, the worst allowing code to run in a hacker-sent file when parsed: CVE-2017-17760 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5268 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2018-5269 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9; and CVE-2017-18009 affecting version 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

All are remote-code execution holes, except CVE-2017-18009, which discloses information.

System has eight flaws, the worst involving remote-code execution with Bluetooth transmissions: CVE-2019-1991 affection versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1992 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1993 affecting versions 8.0, 8.1, and 9; CVE-2019-1994 affecting versions 8.0, 8.1, and 9; CVE-2019-1995 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; CVE-2019-1996 affecting versions affecting 8.0, 8.1, and 9; CVE-2019-1997 affecting versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9; and CVE-2019-1998 affecting version 9.

CVE-2019-1991 and 1992 are remote-code execution flaws, 1993 and 1994 are elevation of privilege, 1995 to 1997 can be exploited to disclose sensitive information, and 1998 is a denial of service.

But wait, there's more

On top of this, there are four Linux kernel flaws in Android (CVE-2018-10879, CVE-2019-1999, CVE-2019-2000, CVE-2019-2001) that can at worst be exploited by a dodgy application to gain higher privileges and hijack the device.

Nvidia's drivers have four bugs (CVE-2018-6271, CVE-2018-6267, CVE-2018-6268, CVE-2016-6684) that can at worst be exploited by malicious programs commandeer a vulnerable device. And 19 security screw-ups in Qualcomm's drivers that range from high to critical severity.

If your Android device's security patch level is dated February 2019, then you're up to date. If not, then check for updates and install them – some may be available.

It's up to your device manufacturer, and mobile carrier if appropriate, to approve and pass on fixes. Certain Google devices, primarily Pixel and older Nexus devices, get them directly from the ad giant, and its Play services can in some cases push patches straight to gizmos.

Also, there are defenses built into Android, such as ASLR, that may thwart exploit attempts. So far, no malware or miscreants are said to be targeting the flaws. ®

Sign up to our NewsletterGet IT in your inbox daily

58 Comments

More from The Register

Investor fires shot at 'sinking ship' Google in battle over privacy-menacing Google+ bug

Pension fund files lively lawsuit hate-letter after 500,000 people's deets put at risk

More households invite creepy smart speakers indoors: Arch-slurper Google top dog for Q1

Chocolate Factory overtakes Amazon as European sales surge 45.1% – people clearly didn't hear the cries of frustrated Google Home users

OK, Google. Music in 2019 isn't what it was, but Play nice, will ya?

Bug appears to hate tunes released this year

Murdoch-backed adtech startup Unlockd ditches Google lawsuit: That'll be £200k, ta very much

Could have been a million times (or pounds) worse

Google shares take a dive with reports of US DoJ 'competition' probe

Another regulator lines up to have a kick

The e-mpire strikes back: Google appeals that $1.7bn EU fine for choking web ad rivals

Lmao, we're not paying that chump change, says ad slinger

Stay frosty: Google to fork out another €600m on bit barns in Finland

That's now €1.4bn splurged on the small town of Hamina

You can't say Go without Google – specifically, our little logo, Chocolate Factory insists

We pay for the hosting so the big G stays: Open-source community-driven code lingo site must sport giant's brand

Sunday seems really quiet. Hmm, thinks Google, let's have a four-hour Gmail, YouTube, G Suite, Cloud outage

Unlucky netizens struggle to connect to web giant suffering from 'network congestion'

What happens in Vegas ... will probably go through the huge bit barn Google is building in Nevada

Excuse us, we mean 'Jasmine Development'