By Paul Rose Jr. for Wealth of Geeks
It’s almost the time of year (May) when Google rolls out their latest annual Android operating system update. Some users expected it to come earlier this year, in part to combat the overheating issue, as well as the Android Auto bug. Fortunately, Google is finally releasing Android 13 Beta 1. But for two-thirds of Android users, a major problem threatens – ALHACK.
To be clear, a patch has already been issued to correct the vulnerability of the major phone chip manufacturers Qualcomm and MediaTek in December 2021. But if it’s been a while since you updated your phone, your device may still be vulnerable to a malicious backdoor software attack.
Wait, there’s Apple in my Android?
To fully understand the problem, we need to go back to 2011. That was when Apple opened the codec for lossless audio. Released in 2004, the Apple Lossless Audio Codec or ALAC was designed to provide the best digital audio from the smallest possible file size. It was what made it possible to play compressed audio files on iPhones and iPods, as well as Macs, in professional sound quality.
Although they would sometimes be a serious drain on the battery, the file size was half the size of an uncompressed disc, allowing many more songs to be stored. In 2011, Apple released the codec details on the Apache license server, and many other companies snatched them to improve their operating systems and chipsets.
Rear door vulnerability
Unfortunately, an unexpected side effect of using the ALAC codec as released was that hackers could use a malformed audio file to play the system. The audio file, which appears to be damaged, opens the phone for remote access.
Hackers do not have to be near the phone to do so, giving them access to your device including listening to conversations and even streaming live video. The Remote Code Execution (RCE) attack also allowed hackers to change device privileges, giving them access to data stored on the phone that even the user cannot see.
While Apple has constantly updated and reworked their internal ALAC codec over the years, they have never updated open source. Therefore, the vulnerability was left undiscovered until Check Point Research discovered it and reached out to Qualcomm and MediaTek. Fortunately, the two major technology companies acted quickly to protect their users.
The correction is in
Patches that repaired the codec were issued in December 2021 and passed on to phone manufacturers so they could update the coded before more phones were sent out. But it still leaves millions of Android phones manufactured and sold in 2021, which may still be in jeopardy. Especially if you’re more careful about updating to Beta releases or just in the dark about the danger of your technology.
Regardless of your usual approach, experts recommend that all Android users download the latest security updates, at least to protect their devices. Incidentally, there is a possibility that Google will release Android 13 Beta 2 in late May, so now it would be time to update and avoid new bugs being detected.
Hopefully this will serve as a lesson to the two best Android chip makers not to cut corners and double check all the technology they are working on, instead of transferring this risk to the end consumer. It’s not a price Android phone users have to pay.