Security researchers have uncovered vulnerabilities in an audio codec, putting millions of Android phones and other Android devices powered by MediaTek and Qualcomm chipsets at risk of being compromised by hackers. The vulnerabilities, originating from a codec created by Apple a few years ago, have not been patched since the company made the codec open source for inclusion on non-Apple devices 11 years ago. By exploiting the vulnerabilities, an attacker could remotely access an Android phone’s media and audio calls, according to the researchers.
according to a report By researchers at Check Point Research, a flaw in Apple’s Apple Lossless Audio Codec (ALAC) allows an attacker to perform a Remote Code Execution (RCE) attack on a target smartphone after sending a corrupted audio file. An RCE attack can allow the attacker to take control of multimedia on the handset, including video streaming from the cameras, access to media, and user calls.
The vulnerabilities were discovered in Apple’s ALAC codec, made open-source by the company in 2011 – allowing non-Apple devices to stream music in “lossless” quality using Apple’s previously proprietary codec. However, while Apple patched the proprietary version of the ALAC codec, the open-source version remained unpatched, according to the researchers.
As a result, Qualcomm and MediaTek, chipset manufacturers, have ported the vulnerable ALAC codec to their audio decoders, resulting in over two-thirds of all smartphones sold in 2021 being vulnerable to the vulnerabilities dubbed “ALHACK” by the researchers . The vulnerabilities have been responsibly disclosed to Qualcomm and MediaTek, both of whom acknowledged the issues and assigned Common Vulnerabilities and Exposures (CVE) for the bugs. assigned to MediaTek CVE-2021-0674 and CVE-2021-0675 (rated Medium and High, respectively) while Qualcomm was assigned CVE-2021-30351 (with a Critical rating of 9.8 out of 10) on the ALAC bugs before patching them.
According to the researchers, both companies have issued patches for the bugs they contain December 2021 Android Security Bulletin, meaning users with smartphones that received the December security patches should be safe from the vulnerabilities. However, this excludes millions of users running outdated software or users who receive infrequent security updates, putting them at risk of being compromised by attackers.