Critical bug could have let hackers commandeer millions of Android devices

silversurfer

Level 84
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,577
Security researchers said they uncovered a vulnerability that could have allowed hackers to commandeer millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.

The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011.
The buggy ALAC code contained an out-of-bounds vulnerability, meaning it retrieved data from outside the limits of allocated memory. Hackers could exploit this mistake to force the decoder to execute malicious code that otherwise would be off-limits.

“The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file,” security firm Check Point said on Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.”

Check Point cited a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they've received a patch.

The ALAC vulnerability—tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek—can also be exploited by an unprivileged Android app to escalate its system privileges to media data and the device microphone, raising the specter of eavesdropping on nearby conversations and other ambient sound.

The two chipset manufacturers submitted patches last year to either Google or to device makers, which in turn delivered the patches to qualifying users in December. Android users who want to know if their device is patched can check the security patch level in the OS settings. If the patch level shows a date of December 2021 or later, the device is no longer vulnerable. But many handsets still don’t receive security patches on a regular basis, if at all, and those with a patch level prior to December 2021 remain susceptible.