Almost all Android smartphones could be vulnerable to remote code execution due to vulnerabilities discovered in the audio decoders of Qualcomm and MediaTek chips.
These vulnerabilities were discovered by Check Point Research (CPR) and if left unpatched, an attacker could exploit them to gain remote access to a device’s camera and microphone using a malformed audio file. At the same time, an unprivileged Android app could exploit these vulnerabilities to elevate its privileges to spy on a user’s media data and listen in on their conversations.
Since most Android devices are powered by Qualcomm or MediaTek chips, the impact of these vulnerabilities is significant, but thankfully CPR has responsibly disclosed its findings to both chipmakers who have since released patches.
Check Point security researcher Slava Makkaveev provided additional information on the company’s findings regarding these high and critical severity vulnerabilities in a press release, stating:
“We discovered a set of vulnerabilities that could be used for remote execution and elevation of privilege on two-thirds of the world’s mobile devices. The vulnerabilities were easily exploitable. A malicious actor could have sent a song (file multimedia) and, when read by a potential victim, he could have injected code into the privileged multimedia service. The threat actor could have seen what the cell phone user sees on his phone. In our proof of concept, we were able to steal the phone’s camera feed. What is the most sensitive information on your phone? I think it’s your media: audio and video. An attacker could have stolen it through these vulnerabilities.
Vulnerable audio decoders
The vulnerabilities themselves were found in Apple Lossless Audio Codec (ALAC), also known as Apple Lossless.
First introduced in 2004 for lossless data compression of digital music, Apple made ALAC open source in late 2011 and the format is now integrated into many non-Apple audio playback devices and programs, including Android smartphones as well. than Linux and Windows media players. and converters.
While Apple has updated the proprietary version of its set-top box patching and fixing security issues multiple times, the code shared in the open-source version of ALAC hasn’t been patched since 2011. CPR discovered that Qualcomm and MediaTek had ported the vulnerable ALAC code into their own audio decoders, which is why so many Android smartphones are now at risk.
CPR responsibly disclosed its findings to both chipmakers last year and they in turn released patches to repair all of their vulnerable audio decoders in December. To avoid falling victim to potential attacks, you should ensure that your Android device has been updated with all the latest patches.