Security researchers said they revealed a vulnerability that could have allowed hackers to take over millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.
The vulnerability lay in ALAC – an abbreviation for Apple Lossless Audio Codec and also known as Apple Lossless – which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to address security vulnerabilities over the years, an open source version used by Qualcomm and MediaTek had not been updated since 2011.
Together, Qualcomm and MediaTek supply mobile chipsets to an estimated 95 percent of US Android devices.
Remote relocation device
The buggy ALAC code contained an out-of-bounds vulnerability, which means that it retrieved data outside the limits of allocated memory. Hackers could exploit this flaw to force the decoder to execute malicious code, which would otherwise be off-limits.
“The ALAC issues that our researchers found could be exploited by a remote code execution (RCE) attacker on a mobile device through a malformed audio file,” security firm Check Point said Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from performing malware to an attacker gaining control of a user’s multimedia data, including streaming from a compromised machine camera. “
Check Point quoted a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they have received a patch.
ALAC vulnerability – tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek – can also be exploited by an unprivileged Android app to escalate its system rights to media data and the device’s microphone, increasing the ghost for eavesdropping on nearby conversations and other ambient sound.
The two chipset manufacturers sent patches last year to either Google or to device manufacturers, who in turn delivered patches to qualified users in December. Android users who want to know if their device is patched can check the level of security patch in the OS settings. If the patch level shows a date December 2021 or later, the device is no longer vulnerable. However, many handsets still do not receive security patches on a regular basis, if at all, and those with a patch level before December 2021 remain susceptible.
The vulnerability calls into question the reliability of the open source code used by Qualcomm and MediaTek and their methods of maintaining its security. If Apple can update its proprietary ALAC code base over the years to correct vulnerabilities, it’s worrying that the two chipset behemoths have not followed suit. The vulnerability also raises the question of what other open source code libraries used by chip makers may be similarly outdated.
In a statement, Qualcomm officials wrote:
Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio encoder issue that they revealed, Qualcomm Technologies made patches available to device manufacturers in October 2021. We encourage end users to update their devices as security updates become available.
MediaTek did not immediately respond to a message.
Check Point said it will provide technical details on the vulnerability next month at the CanSecWest conference in Vancouver.