The ALAC bug made millions of Android devices vulnerable to takeover

by
power buttons on Android phones top down showing multiple phones

power buttons on top-down Android phones that display multiple phones

Dhruv Bhutani / Android Authority

TL; DR

  • A major vulnerability affected the vast majority of Android phones from 2021.
  • The problem is caused by compromised ALAC audio code.
  • The vulnerable code was included in MediaTek and Qualcomm audio encoders.

An error in the Apple Lossless Audio Codec (ALAC) affects two-thirds of the Android devices sold in 2021, leaving unpatched devices vulnerable to takeover.

ALAC is an audio format developed by Apple for use in iTunes in 2004, which provides lossless data compression. After Apple opened the format in 2011, companies around the world adopted it. Unfortunately, as Check Point Research points out, while Apple has updated its own version of ALAC over the years, the open source version has not been updated with security patches since it was made available in 2011. As a result, an unrecovered vulnerability was included in chipsets made by Qualcomm and MediaTek.

Also see: Loss-free music streaming

According to Check Point Research, both MediaTek and Qualcomm included the compromised ALAC code in their chips’ audio encoders. Because of this, hackers could use a malformed audio file to obtain a remote code execution attack (RCE). RCE is considered the most dangerous form of exploitation as it does not require physical access to a device and can be performed remotely.

Using the malformed audio file, hackers could execute malicious code, gain control over a user’s media files, and access the camera’s streaming functionality. The vulnerability can even be used to grant an Android app additional privileges, giving the hacker access to the user’s conversations.

Given MediaTek and Qualcomm’s position in the mobile chip market, Check Point Research believes that the vulnerability affects two-thirds of all Android phones sold in 2021. Fortunately, both companies released patches in December of that year, which were sent downstream to device manufacturers. .

Read more: The best non-antivirus security apps for Android

Nevertheless, as Ars Technica points out that the vulnerability raises serious questions about the measures taken by Qualcomm and MediaTek to ensure the security of the code they implement. Apple had no problem updating its ALAC code to resolve vulnerabilities, so why did Qualcomm and MediaTek not do the same? Why did the two companies rely on decades-old code without any attempt to ensure it was secure and up-to-date? Most importantly, are there other frameworks, libraries, or codecs used with similar vulnerabilities?

While there are no clear answers, the seriousness of this episode will hopefully spur on changes aimed at keeping users safe.