Google has released April 2019 Android security updates which addresses three remote code execution flaws affecting devices running the mobile OS.
Google’s monthly Android update includes two patch levels which is available to Google’s Pixel devices and are shared with other Android manufacturers to distribute to their respective devices.
The security patch includes fixes for two critical remote code execution flaws affecting the Media framework, the Android media library which got attention after 2015’s Stagefright bugs were found affecting virtually all Android devices and provoked Google to ask Android vendors to deliver security patches more swiftly and regularly.
The Media framework bugs affect Android 7 and later versions and would let a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Samsung stated that its April security update includes fixes for the same two Media framework bugs, CVE-2019-2027 and CVE-2019-2028. The patch is available for Samsung’s flagship Galaxy phones. Huawei is also providing Google’s Media framework fixes in its April update for flagship phones.
The remaining nine flaws are elevation-of-privilege and information-disclosure issues affecting Android which would allow an installed malicious app to execute arbitrary code within the context of a privileged process.
The second patch level, 2019-04-05, addresses four flaws in Android, which includes one critical remote code execution bug, and dozens of issues affecting Qualcomm components.
In its 2018 Android security report, Google has mentioned that end-user patching of its own Pixel devices is a huge success. At the end of 2018, around 95 percent of all Pixel 3 and Pixel 3 XL phones in the wild were running a security update from the past 90 days.
Google also stated that it has worked with device makers, mobile network operators, and system-on-chip vendors to boost the number of Android devices receiving regular security updates. In the fourth quarter of 2018 it had 84 percent more Android devices receiving a security update than in the same quarter the year before.
Google is providing support to the Android device makers to use a tool called SnoopSnitch, developed by Security Research Labs. This tool is used by the researchers to find out whether devices from major brands are missing patches from a patch level displayed to users.
It is found that even famous vendors like HTC, Huawei, LG, and Motorola are missing on an average of three to four patches from each patch level, misguiding the consumers about the state of their device.