Google's April Android Security Update Fixes 8 Critical Vulnerabilities

Google on Monday started rolling out the April monthly Android security update for its Nexus range of devices. The company says that the security update is now available for Nexus devices through an over-the-air (OTA) update.

The latest Nexus firmware images have also been released to the Google Developer site for download as well as changelogs have been published on the Android Open Source Project (AOSP) for its partners and other manufacturers. Google says that the source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. While other manufacturers prepare to release their device-specific updates, BlackBerry has already released the April security update for its Priv Android smartphone.

The latest April update patches eight vulnerabilities that have been flagged as "critical" by Google, and 13 vulnerabilities that fall on the spectrum of "high" severity. The company has also listed eight "moderate" security glitches that have also been resolved.

In its Nexus Security Bulletin for April, Google said the Android security update has fixed one of the most severe Stagefright security vulnerabilities that could enable remote code execution on an affected device through multiple methods (such as email, Web browsing, and MMS) when processing media files. The Bulletin notes that partner OEMs were notified about the issues described in the April security update on March 16, 2016 or earlier.

The critical security vulnerabilities fixed in the update by Google include remote code execution vulnerability in DHCPCD, which if left untreated can enable attacker to cause memory corruption. Other vulnerabilities such as remote code execution vulnerability in media codec, remote code execution vulnerability in mediaserver, and remote code execution vulnerability in libstagefright can allow an attacker to cause memory corruption and remote code execution as the mediaserver process during media file and data processing of a specially crafted file.

Some of the other critical vulnerabilities listed include elevation of privilege vulnerability in kernel, elevation of privilege vulnerability in Qualcomm Performance Module, elevation of Privilege Vulnerability in Qualcomm RF Component, and elevation of Privilege Vulnerability in Kernel.

Notably, the majority of vulnerabilities fixed in the April Android security update were reported to Google late last year or early this year.

Much like the February and March security updates, the April Android security update is purely focused on security fixes and does not upgrade the Android version.