A trio of vulnerabilities discovered in Qualcomm and MediaTek chipsets were finally fixed at the end of last year, but not before two-thirds of Android handsets were at risk of an attacker gaining access to media and audio calls. Both Qualcomm and MediaTek use the Apple Lossless Audio Codec (ALAC), which enables lossless data compression of digital music streams.
Qualcomm and MediaTek chips were affected by the vulnerabilities
Check Point Research has discovered that Qualcomm and MediaTek ported vulnerable ALAC code into their audio encoders, which it says is used on over half of all smartphones worldwide. Check Point notes that the latest IDC figures show that a leading share of 48.1% of all Android phones in the states are equipped with a MediaTek chipset, with 47% using Qualcomm.
Security researcher Slava Makkaveev, who discovered the vulnerabilities along with Netanel Ben Simon, said: “The vulnerabilities were easily exploited. A threatening actor could have sent a song (media file) and when played by a potential victim, it could have injected code into the privileged “The threatening actor could have seen what the mobile phone user sees on their phone.”