Millions of Android devices are said to be vulnerable to a remote code execution attack due to flaws in an audio codec that Apple released years ago but hasn’t been patched since. to alert Check Point researchers. They discovered a bug in the Apple Lossless Audio Codec (ALAC), an audio compression technology that Apple released in 2011. This codec was subsequently integrated into Android devices and programs for playback. audio, making vulnerable a very large part of the smartphones and other mobile devices currently used in the world.
The problem, as Check Point researchers note, is that while Apple has updated and patched its proprietary version of ALAC, ALAC’s open-source code hasn’t been updated since 2011. all the more dangerous as this open source code contains a critical flaw that allows remote code execution. Enough to allow a hacker to exploit this flaw by sending the target a malformed audio file, allowing the latter to execute malware on any Android device!
The flaw could even have “led an attacker to gain access to their media and audio conversations remotely”, explain the Check Point researchers. These bugs affect Android devices with MediaTek and Qualcomm chips, both of which have confirmed the flaws. Qualcomm patched the flaw, known as CVE-2021-30351, in its December security update. MediaTek also fixed the ALAC issues, spotted as CVE-2021-0674 and CVE-2021-0675, in its December security update.
A critical flaw
As a consequence of the dangerousness of this flaw, Qualcomm gave it a “critical” rating with a severity score of 9.8 out of 10 possible. “Out-of-bounds memory access may occur due to improper validation of the number of frames passed during music playback,” Qualcomm said in its advisory. MediaTek has classified CVE-2021-0675 as a “high” severity elevation of privilege bug due to “incorrectly restricting operations within a memory buffer in the alac decoder”. It affects dozens of MediaTek chips used in devices running Android versions 8.1, 9.0, 10.0 and 11.0.
The number of vulnerable Android devices depends on the number of people who have installed firmware updates in which the vulnerabilities are fixed. Still, the two chipmakers are the biggest sellers of system-on-chips used in Android devices. Check Point estimates that two-thirds of all smartphones sold in 2021 are vulnerable to what it calls “ALHACK”.
Google released a fix for the Qualcomm bug and MediaTek’s CVE-2021-0675 in its December 2021 update. However, it’s still up to each Android phone maker to roll out the fixes at their own pace. Vigilance therefore remains very much in order for all owners of Android smartphones.
Source: ZDNet.com