Another month is here and Android finds itself with a mixture of critical and high vulnerabilities.

It's a Qualcomm kinda month for the Android Security Bulletin, with the majority of issues falling into the hands of the chip maker. Qualcomm components alone hold more than fifty vulnerabilities marked "high" in this month's security bulletin. If you like to keep watch on the security of the Android platform you will certainly want to know what's happening in the April Security Bulletin.
Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 2 (not recommended to be used by the general public), it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (April 5, 2018).
SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)
To find out what patch level you are running, open Settings and go to About Phone. If you use Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.
Figure A: The most recent security patch found on Android Q Beta 2.
Terminology
You will find different types of vulnerabilities listed. Possible types include:
- RCE--Remote code execution
- EoP--Elevation of privilege
- ID--Information disclosure
- DoS--Denial of service
And now, onto the issues.
04/01/2019 Security Patch Level
Critical issues
There are only two issues marked critical in the 04/01/2019 patch level. Both of these issues were found in the media framework and are marked as such due to the ability of a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):
- CVE-2019-2027A-119120561 RCE
- CVE-2019-2028A-120644655 RCE
High issues
The first issue marked high was found with the framework and was marked as such due to the ability of a local attacker to gain additional permissions, which would bypass user interaction. The related bug is (listed by CVE, Reference, and Type):
- CVE-2019-2026 A-120866126 EoP
Next, we find eight issues marked high in the system. These bugs were marked high because it could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):
- CVE-2019-2030A-119496789 EoP
- CVE-2019-2031 A-120502559 EoP
- CVE-2019-2033A-121327565 EoP
- CVE-2019-2034A-122035770 EoP
- CVE-2019-2035A-122320256 EoP
- CVE-2019-2038A-121259048 ID
- CVE-2019-2039A-121260197 ID
- CVE-2019-2040A-122316913 ID
And that's it for the 04/01/2019 security patch level.
04/05/2019 Security Patch Level
Critical issues
There are eight critical issues found in the 04/05/2019 security patch. The first issue is found in the system and is marked high as it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bug is (listed by CVE, Reference, and Type):
- CVE-2019-2029A-120612744 RCE
Our next critical issue in one of the Qualcomm open source components. The details for this issue can be found in the April Qualcomm Security Bulletin. The related bug is (listed by CVE, Reference, Qualcomm Reference, and Component):
- CVE-2018-11940 A-79377832 QC-CR#2254946 WLAN HOST
There were six issues marked critical found in Qualcomm closed-source components. Again, the details for these issues can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE and Reference):
- CVE-2018-11271 A-120487384
- CVE-2018-11976 A-117119000
- CVE-2018-12004 A-117118976
- CVE-2018-13886 A-117118295
- CVE-2018-13887 A-117119172
- CVE-2019-2250 A-122473270
High issues
With more than fifty vulnerabilities between both open- and closed-source components, Qualcomm chips found themselves in a most undesirable spotlight.
But Qualcomm wasn't the only victim. The Android system is listed with three issues marked high. These bugs were marked as such because it could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):
- CVE-2019-2032A-121145627 EoP
- CVE-2019-2041A-122034690 EoP
- CVE-2019-2037A-119870451 ID
And now, the first batch of Qualcomm issues. Here is the list of issues that affect open-source components. The details of these vulnerabilities can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE, Reference, Qualcomm Reference, and Component):
- CVE-2017-17772 A-72957385 QC-CR#2153003 WLAN HOST
- CVE-2018-11294 A-109741680 QC-CR#2197481 WLAN HOST
- CVE-2018-5855 A-77527719 QC-CR#2193421 WLAN HOST
- CVE-2018-11299 A-109741946 QC-CR#2186953 WLAN HOST
- CVE-2018-11826 A-111127853 QC-CR#2205957 WLAN HOST
- CVE-2018-11827 A-111128575 QC-CR#2206569 WLAN HOST
- CVE-2018-11840 A-111126050 QC-CR#2215443 WLAN HOST
- CVE-2018-11851 A-111125792 QC-CR#2221902 WLAN HOST
- CVE-2018-11860 A-111128301 QC-CR#2225113 WLAN HOST
- CVE-2018-11868 A-111128420 QC-CR#2227248 WLAN HOST
- CVE-2018-11869 A-111128838 QC-CR#2227263 WLAN HOST
- CVE-2018-11878 A-111128797 QC-CR#2228608 WLAN HOST
- CVE-2018-11889 A-111128421 QC-CR#2230998 WLAN HOST
- CVE-2018-11891 A-111128578 QC-CR#2231767 WLAN HOST
- CVE-2018-11894 A-111127989 QC-CR#2232358 WLAN HOST
- CVE-2018-11895 A-111128877 QC-CR#2232542 WLAN HOST
- CVE-2018-11897 A-111128841 QC-CR#2233033 WLAN HOST
- CVE-2018-11902 A-111126532 QC-CR#2225604 WLAN HOST
- CVE-2018-11904 A-111125111 QC-CR#2215446 WLAN HOST
- CVE-2018-11905 A-112277221 QC-CR#2146878 WLAN HOST
- CVE-2018-11923 A-112276863 QC-CR#2224443 WLAN HOST
- CVE-2018-11924 A-112278150 QC-CR#2224451 WLAN HOST
- CVE-2018-11925 A-112277910 QC-CR#2226375 WLAN HOST
- CVE-2018-11927 A-112277186 QC-CR#2227076 WLAN HOST
- CVE-2018-11930 A-112278861 QC-CR#2231770 WLAN HOST
- CVE-2018-11937 A-112277891 QC-CR#2245944 WLAN HOST
- CVE-2018-11949 A-112278405 QC-CR#2249815 WLAN HOST
- CVE-2018-11953 A-112277852 QC-CR#2235576 WLAN HOST
- CVE-2018-13920 A-120487136 QC-CR#2293841 Kernel
Next comes the close-source Qualcomm components. Here is the list of issues that affect open-source components. The details of these vulnerabilities can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE and Reference):
- CVE-2018-11291 A-109678120
- CVE-2018-11821 A-111093019
- CVE-2018-11822 A-111092813
- CVE-2018-11828 A-111089816
- CVE-2018-11849 A-111092945
- CVE-2018-11850 A-111092919
- CVE-2018-11853 A-111091938
- CVE-2018-11854 A-111093762
- CVE-2018-11856 A-111093242
- CVE-2018-11859 A-111090373
- CVE-2018-11861 A-111092814
- CVE-2018-11862 A-111093763
- CVE-2018-11867 A-111093243
- CVE-2018-11870 A-111089817
- CVE-2018-11871 A-111092400
- CVE-2018-11872 A-111090534
- CVE-2018-11873 A-111091378
- CVE-2018-11874 A-111092946
- CVE-2018-11875 A-111093022
- CVE-2018-11876 A-111093244
- CVE-2018-11877 A-111092888
- CVE-2018-11879 A-111093280
- CVE-2018-11880 A-111092401
- CVE-2018-11882 A-111093259
- CVE-2018-11884 A-111090535
- CVE-2018-11928 A-112279580
- CVE-2018-11936 A-112279127
- CVE-2018-11967 A-119049704
- CVE-2018-11967 A-119052960
- CVE-2018-11968 A-114042276
- CVE-2018-12005 A-117118499
- CVE-2018-12012 A-117119174
- CVE-2018-12013 A-117119152
- CVE-2018-13885 A-117118789
- CVE-2018-13895 A-122472377
- CVE-2018-13925 A-120483842
- CVE-2019-2244 A-122472139
- CVE-2019-2245 A-122473145
Upgrade and update
The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.
Also see
- Android Security Bulletin March 2019: What you need to know (TechRepublic)
- Android Security Bulletin Feb 2019: What you need to know (TechRepublic)
- Two-thirds of all Android antivirus apps are frauds (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)