Three vulnerabilities found in Qualcomm and MediaTek chipsets were finally patched late last year, but before that, two-thirds of Android phones were at risk of giving attackers access to media and audio conversations. Both Qualcomm and MediaTek use the Apple Lossless Audio Codec (ALAC), which provides lossless data compression for digital music streams.
Just over a decade ago, Apple open-sourced ALAC, allowing the format to be used on non-Apple devices, including Android phones. There were several updates, but it hasn’t been patched since 2011.
Researchers at Israeli security firm Check Point Research found that attackers could exploit these vulnerabilities to perform remote code execution (RCE) attacks. “The impact of the RCE vulnerability can range from malware execution to attacker control of a user’s multimedia data, including streaming from an infected machine’s camera,” Check Point wrote in its blog. Additionally, unprivileged Android applications can Exploit its vulnerabilities to elevate its access to media data and user conversations.
Qualcomm and MediaTek chips affected by vulnerabilities
Check Point Research found that Qualcomm and MediaTek ported vulnerable ALAC codes into their audio decoders, which are said to be used by more than half of the world’s smartphones. Check Point noted that the latest IDC data shows that among all Android phones in the states, a leading share of 48.1% is equipped with MediaTek chipsets, with 47% using Qualcomm.
Check Point passes the collected information to Qualcomm and MediaTek. The latter “grants” two Common Vulnerabilities and Exposures vulnerability numbers, CVE-2021-0674 and CVE-2021-0675, to ALAC vulnerabilities that MediaTek has fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the CVE-2021-30351 patch in the December 2021 Qualcomm Security Bulletin.
Security researcher Slava Makkaveev, who discovered the flaws with Netanel Ben Simon, said: “These flaws are easy to exploit. A threat actor might send a song (media file) and when played by a potential victim, it might be in it Injecting code. Privileged media services. Threat actors may have seen what phone users see on their phones.
