Android Security Bulletin April 2019: What you need to know

Another month is here and Android finds itself with a mixture of critical and high vulnerabilities.

Image: Jack Wallen

It's a Qualcomm kinda month for the Android Security Bulletin, with the majority of issues falling into the hands of the chip maker. Qualcomm components alone hold more than fifty vulnerabilities marked "high" in this month's security bulletin. If you like to keep watch on the security of the Android platform you will certainly want to know what's happening in the April Security Bulletin.

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 2 (not recommended to be used by the general public), it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (April 5, 2018).

SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)

To find out what patch level you are running, open Settings and go to About Phone. If you use Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A

Figure A: The most recent security patch found on Android Q Beta 2.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

And now, onto the issues.

04/01/2019 Security Patch Level

Critical issues

There are only two issues marked critical in the 04/01/2019 patch level. Both of these issues were found in the media framework and are marked as such due to the ability of a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

High issues

The first issue marked high was found with the framework and was marked as such due to the ability of a local attacker to gain additional permissions, which would bypass user interaction. The related bug is (listed by CVE, Reference, and Type):

  • CVE-2019-2026 A-120866126 EoP

Next, we find eight issues marked high in the system. These bugs were marked high because it could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

And that's it for the 04/01/2019 security patch level.

04/05/2019 Security Patch Level

Critical issues

There are eight critical issues found in the 04/05/2019 security patch. The first issue is found in the system and is marked high as it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bug is (listed by CVE, Reference, and Type):

Our next critical issue in one of the Qualcomm open source components. The details for this issue can be found in the April Qualcomm Security Bulletin. The related bug is (listed by CVE, Reference, Qualcomm Reference, and Component):

There were six issues marked critical found in Qualcomm closed-source components. Again, the details for these issues can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE and Reference):

  • CVE-2018-11271 A-120487384
  • CVE-2018-11976 A-117119000
  • CVE-2018-12004 A-117118976
  • CVE-2018-13886 A-117118295
  • CVE-2018-13887 A-117119172
  • CVE-2019-2250 A-122473270

High issues

With more than fifty vulnerabilities between both open- and closed-source components, Qualcomm chips found themselves in a most undesirable spotlight.

But Qualcomm wasn't the only victim. The Android system is listed with three issues marked high. These bugs were marked as such because it could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

And now, the first batch of Qualcomm issues. Here is the list of issues that affect open-source components. The details of these vulnerabilities can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE, Reference, Qualcomm Reference, and Component):

Next comes the close-source Qualcomm components. Here is the list of issues that affect open-source components. The details of these vulnerabilities can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE and Reference):

  • CVE-2018-11291 A-109678120
  • CVE-2018-11821 A-111093019
  • CVE-2018-11822 A-111092813
  • CVE-2018-11828 A-111089816
  • CVE-2018-11849 A-111092945
  • CVE-2018-11850 A-111092919
  • CVE-2018-11853 A-111091938
  • CVE-2018-11854 A-111093762
  • CVE-2018-11856 A-111093242
  • CVE-2018-11859 A-111090373
  • CVE-2018-11861 A-111092814
  • CVE-2018-11862 A-111093763
  • CVE-2018-11867 A-111093243
  • CVE-2018-11870 A-111089817
  • CVE-2018-11871 A-111092400
  • CVE-2018-11872 A-111090534
  • CVE-2018-11873 A-111091378
  • CVE-2018-11874 A-111092946
  • CVE-2018-11875 A-111093022
  • CVE-2018-11876 A-111093244
  • CVE-2018-11877 A-111092888
  • CVE-2018-11879 A-111093280
  • CVE-2018-11880 A-111092401
  • CVE-2018-11882 A-111093259
  • CVE-2018-11884 A-111090535
  • CVE-2018-11928 A-112279580
  • CVE-2018-11936 A-112279127
  • CVE-2018-11967 A-119049704
  • CVE-2018-11967 A-119052960
  • CVE-2018-11968 A-114042276
  • CVE-2018-12005 A-117118499
  • CVE-2018-12012 A-117119174
  • CVE-2018-12013 A-117119152
  • CVE-2018-13885 A-117118789
  • CVE-2018-13895 A-122472377
  • CVE-2018-13925 A-120483842
  • CVE-2019-2244 A-122472139
  • CVE-2019-2245 A-122473145

Upgrade and update

The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.