Security researchers say they have discovered a vulnerability that could allow hackers to gain control of millions of Android devices equipped with mobile phone chips produced by Qualcomm and MediaTek.
The vulnerability lies in ALAC – short for Apple Lossless Audio Codec and also known as Apple Lossless – an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its own version of the decoder to fix vulnerabilities over the years, an open source version used by Qualcomm and MediaTek hasn’t been updated since 2011.
Qualcomm and MediaTek together offer mobile chipsets for an estimated 95 percent of US Android devices.
remote eavesdropping device
The ALAC buggy code contained an out-of-bounds vulnerability, meaning that it retrieved data from outside the bounds of allocated memory. Hackers can exploit this bug to force the decoder to execute malicious code that would otherwise be prohibited.
“ALAC issues that our researchers found could be used by an attacker to attack a remote code execution (RCE) attack on a mobile device through a corrupt audio file,” security firm Check Point said Thursday. RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of the RCE vulnerability can range from executing malware to the attacker’s control of a user’s multimedia data, including streaming from the compromised device’s camera.”
Check Point cited the researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to attack unless they receive a patch.
The ALAC vulnerability — tracked as CVE-2021-30351 by Qualcomm, CVE-2021-0674 and CVE-2021-0675 by MediaTek — can also be exploited by a non-privileged Android app to escalate its system privileges to media data and the device’s microphone, raising a ghost. Eavesdrop on nearby conversations and other ambient sounds.
The two chip makers submitted patches last year to either Google or device makers, which in turn delivered the patches to eligible users in December. Android users who want to know if their device has been patched can check the security patch level in the operating system settings. If the correction level shows the date of December 2021 or later, the device is no longer vulnerable. But many phones still do not receive security patches on a regular basis, if any, and those with a patch level before December 2021 remain vulnerable.
The vulnerability calls into question the reliability of the open source code used by Qualcomm and MediaTek and their ways of keeping it secure. If Apple has been able to update its ALAC database over the years to fix the vulnerabilities, it is worrying that the two giant chipsets have not followed suit. This vulnerability also raises the question of what other open source code libraries used by chip makers might be similarly outdated.
In a statement, Qualcomm officials wrote:
Providing technologies that support strong security and privacy is a priority for Qualcomm Technologies. We commend security researchers from Check Point Technologies for using coordinated detection practices that are aligned with industry standards. Regarding the ALAC audio decoder issue that was revealed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates become available.
MediaTek did not immediately respond to a message.
Check Point said it will present technical details of the vulnerability next month at the CanSecWest conference in Vancouver.