Security researchers have revealed a bug in an audio encoding format that could have been exploited to help hackers with remote attacks on Android phones simply by sending a malicious audio file.
The bug involved the Apple Lossless Audio Codec (ALAC), according to security firm Check Point, which revealed the problem last year. The codec is open source and widely used across non-iPhone devices, including Android smartphones.
For years, Apple has been updating the proprietary version of ALAC, but the open source version has remained unpatched since 2011, according to Check Point. This prompted the security firm to reveal a serious vulnerability in how a few large companies implemented ALAC.
“Check Point Research has discovered that Qualcomm and MediaTek, two of the largest mobile chipset manufacturers in the world, ported the vulnerable ALAC code into their audio encoders, which are used in more than half of all smartphones worldwide,” wrote the security company in a blog post.
Security bulletins from Qualcomm and MediaTek indicate that the bug affected dozens of chipsets from both companies, including Snapdragon 888 and 865, meaning millions of Android smartphones were affected.
The vulnerability could allow a hacker to remotely execute computer code on an Android phone by sending a malicious audio file capable of triggering the ALAC error. From there, the hacker could try to install additional malware on the device or try to access the camera.
Existing mobile apps could also exploit the bug to access the media folder of an affected Android smartphone without asking the user for permission, according to Check Point.
The good news is that Qualcomm and MediaTek fixed the bug in December, after the problem was first reported. Check Point also found no evidence that hackers have ever exploited the vulnerability.
Recommended by our editors
To make sure you are protected, you should check if your phone has received “2021-12-05” or later Android security patch. This can usually be done by going to the phone’s settings panel and then going to ‘About the phone’ and checking the Android version.
The bug affecting the Qualcomm devices has been named CVE-2021-30351. Meanwhile, MediaTek has assigned CVE-2021-0674 and CVE-2021-0675 as the official designations for the vulnerability. Check Point plans to reveal more details about the software bug at the CanSecWest conference scheduled for May 18-20. May.
In a statement, Qualcomm said: “We commend the security researchers from Check Point Technologies for using industry-standard coordinated detection practices. Regarding the ALAC audio codec issue they uncovered, Qualcomm Technologies made patches available to device manufacturers in October 2021. We urge users to quit. to update their devices as security updates become available. “
Like what you read?
sign up SecurityWatch newsletter for our best stories on privacy and security delivered directly to your inbox.
This newsletter may contain ads, offers or affiliate links. Subscribing to a newsletter indicates your consent to our terms of use and privacy policy. You can unsubscribe from the newsletters at any time.