Critical bug could have let hackers commandeer millions of Android devices
Getty Images
Security researchers said they uncovered a vulnerability that could have allowed hackers to commandeer millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.
The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011.
Together, Qualcomm and MediaTek supply mobile chipsets for an estimated 95 percent of US Android devices.
Remote bugging device
The buggy ALAC code contained an out-of-bounds vulnerability, meaning it retrieved data from outside the limits of allocated memory. Hackers could exploit this mistake to force the decoder to execute malicious code that otherwise would be off-limits.
“The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file,” security firm Check Point said on Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.”
Check Point cited a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they’ve received a patch.
The ALAC vulnerability—tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek—can also be exploited by an unprivileged Android app to escalate its system privileges to media data and the device microphone, raising the specter of eavesdropping on nearby conversations and other ambient sound.
The two chipset manufacturers submitted patches last year to either Google or to device makers, which in turn delivered the patches to qualifying…
