Almost all Android smartphones can be vulnerable to remote code execution due to vulnerabilities detected in the audio decoders on Qualcomm and MediaTek chips.
The discovery of these vulnerabilities was made by Check Point Research (CPR), and if left unchecked, an attacker could exploit them to gain remote access to a device’s camera and microphone by using a malformed audio file. At the same time, an unprivileged Android app could exploit these vulnerabilities to escalate its privileges to spy on a user’s media data and listen to their conversations.
Since most Android devices are powered by either Qualcomm or MediaTek chips, the impact of these vulnerabilities is far-reaching, but fortunately CPR responsibly revealed its findings to both chip makers, who have since issued fixes.
Check Point security researcher Slava Makkaveev provided further insight into the firm’s findings regarding these high and critical severity vulnerabilities in a press release that said:
“We have discovered a set of vulnerabilities that could be used for remote performance and privilege escalation on two thirds of the world’s mobile devices. The vulnerabilities were easy to exploit. A threat actor could have sent a song (media file) and when played by a potential victim , it could have injected code into the privileged media service.The threat actor could have seen what the cell phone user sees on their phone.In our proof of concept we were able to steal the phone’s camera power.What is the most sensitive information on your phone? I think “It’s your media: audio and video. An attacker could have stolen it through these vulnerabilities.”
Vulnerable audio encoders
The vulnerabilities themselves were found in the Apple Lossless Audio Codec (ALAC), also known as Apple Lossless.
First introduced back in 2004 for lossless data compression of digital music, in late 2011 Apple made ALAC open source, and the format is now embedded in many non-Apple audio playback devices and applications, including Android smartphones as well as Linux and Windows media players and converters.
While Apple has updated the proprietary version of its decoder by fixing and repairing security issues several times, the shared code in the open source version of ALAC has not been fixed since 2011. CPR discovered that Qualcomm and MediaTek ported the vulnerable ALAC code for their own audio encoders, which is why so many Android smartphones are now at risk.
CPR responsibly revealed its results to both chip manufacturers last year, and they in turn released patches to fix all their vulnerable audio encoders back in December. However, to avoid falling victim to potential attacks, you should make sure that your Android device has been updated with all the latest patches.