67% of Android phones were at risk of a remote attack until the end of last year

A trio of vulnerabilities discovered in Qualcomm and MediaTek chipsets were finally fixed at the end of last year, but not before two-thirds of Android handsets were at risk of an attacker gaining access to media and audio calls. Both Qualcomm and MediaTek use the Apple Lossless Audio Codec (ALAC), which enables lossless data compression of digital music streams.

A little over a decade ago, Apple made ALAC open source so that the format could be used on non-Apple devices, including Android phones. There have been several updates but it had not been fixed since 2011.
Researchers at Israeli security firm Check Point Research discovered that attackers could use the vulnerabilities to execute a Remote Code Execution (RCE) attack. Check Point wrote in its blog that “the impact of an RCE vulnerability can range from performing malware to an attacker gaining control of a user’s multimedia data, including streaming from the camera of a compromised machine.” Additionally, an unprivileged Android app can use its vulnerabilities to escalate its privileges by accessing media data and user conversations.

Check Point Research has discovered that Qualcomm and MediaTek ported vulnerable ALAC code into their audio encoders, which it says is used on over half of all smartphones worldwide. Check Point notes that the latest IDC figures show that a leading share of 48.1% of all Android phones in the states are equipped with a MediaTek chipset, with 47% using Qualcomm.

Check Point passed on the information collected to both Qualcomm and MediaTek. The latter “assigned” two Common Vulnerabilities and Exposures vulnerabilities, CVE-2021-0674 and CVE-2021-0675, to the ALAC vulnerabilities, which had already been addressed by MediaTek and published in the December 202 MediaTek Security Bulletin. Qualcomm released a patch for CVE-2021-30351 and December 2021 Qualcomm Security Bulletin.

Security researcher Slava Makkaveev, who discovered the vulnerabilities along with Netanel Ben Simon, said: “The vulnerabilities were easily exploited. A threatening actor could have sent a song (media file) and when played by a potential victim, it could have injected code into the privileged “The threatening actor could have seen what the mobile phone user sees on their phone.”