Almost all Android smartphones could be vulnerable to remote code execution as a result of vulnerabilities discovered in the audio decoders of Qualcomm and MediaTek chips.
The discovery of these vulnerabilities was made by Check Point Research (CPR) and if left unpatched, an attacker could exploit them to remotely gain access to a device’s camera and microphone by using a malformed audio file. At the same time, an unprivileged Android app could leverage these vulnerabilities to escalate its privileges in order to spy on a user’s media data and listen in on their conversations.
Since most Android devices are powered by either Qualcomm or MediaTek chips, the impact of these vulnerabilities is wide reaching but thankfully, CPR responsibly disclosed its findings to both chipmakers who have since issued fixes.
Check Point security researcher Slava Makkaveev provided further insight on the firm’s findings regarding these high and critical severity vulnerabilities in a press release, saying:
"We've discovered a set of vulnerabilities that could be used for remote execution and privilege escalation on two-thirds of the world's mobile devices. The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone. In our proof of concept, we were able to steal the phone's camera stream. What is the most sensitive information on your phone? I think it's your media: audio and videos. An attacker could have stolen that through these vulnerabilities.”
Vulnerable audio decoders
The vulnerabilities themselves were found in Apple Lossless Audio Codec (ALAC) which is also known as Apple Lossless.
First introduced back in 2004 for lossless data compression of digital music, at the end of 2011 Apple made ALAC open source and the format is now embedded in many non-Apple audio playback devices and programs including Android smartphones as well as Linux and Windows media players and converters.
While Apple has updated the proprietary version of its decoder by fixing and patching security issues several times, the shared code in the open source version of ALAC has not been patched since 2011. CPR discovered that Qualcomm and MediaTek ported the vulnerable ALAC code into their own audio decoders which is why so many Android smartphones are now at risk.
CPR responsibly disclosed its findings to both chipmakers last year and they in turn released patches to fix all of their vulnerable audio decoders back in December. To avoid falling victim to any potential attacks though, you should make sure that your Android device has been updated with all of the latest patches.
