Getty Images
Security researchers say they have discovered a vulnerability that could allow hackers to compromise millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.
The vulnerability exists in ALAC (short for Apple Lossless Audio Codec, also known as Apple Lossless), an audio format introduced by Apple in 2004 to provide lossless audio over the Internet. While Apple has been updating its proprietary version of the decoder for years to fix security flaws, the open-source version used by Qualcomm and MediaTek hasn’t been updated since 2011.
Qualcomm and MediaTek together supply mobile chipsets for approximately 95% of Android devices in the United States.
remote eavesdropper
The faulty ALAC code contains an out-of-bounds vulnerability, which means it retrieves data from outside the allocated memory limits. Hackers can use this bug to force the decoder to execute malicious code that would otherwise be banned.
“The ALAC issue identified by our researchers could potentially be used by an attacker in a remote code execution (RCE) attack on a mobile device via a malformed audio file,” security firm Check Point said Thursday. Remote execution of malicious code on the Internet. The impact of the RCE vulnerability ranges from malware execution to attackers taking control of a user’s multimedia data, including streaming media from an infected machine’s camera.”
Two-thirds of all smartphones sold in 2021 are vulnerable unless they receive a patch, Check Point cited a researcher.
advertise
The ALAC vulnerability (tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek) can also be exploited by unprivileged Android applications to elevate their system permissions on media data and device microphones, increasing Ghosts eavesdropping on nearby conversations and other ambient sounds.
The two chipset makers submitted patches to Google or the device makers last year, which in turn delivered the patches to eligible users in December. Android users who want to know if their device has been patched can check the security patch level in the OS settings. If the patch level shows a date of December 2021 or later, the device is no longer vulnerable. But many phones still don’t receive regular security patches, and those with patch levels before December 2021 are still vulnerable, if at all.
The flaw raises questions about the reliability of the open-source code used by Qualcomm and MediaTek and the methods by which it maintains its security. If Apple has been able to update its proprietary ALAC codebase to fix the vulnerability over the years, the two chipset giants have not followed suit. The flaw also raises the issue that other open-source code libraries used by chipmakers may be similarly outdated.
Qualcomm officials wrote in a statement:
Providing technology that supports strong security and privacy is a top priority for Qualcomm Technologies. We commend Check Point Technologies’ security researchers for using industry-standard harmonized disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies provided a patch to device manufacturers in October 2021. We encourage end users to update their devices when security updates are available.
MediaTek did not immediately respond to a message.
Check Point said it will provide technical details of the vulnerability at the CanSecWest conference in Vancouver next month.
