Hackers might have taken control of millions of Android devices because of a critical issue.
Researchers found a flaw in Qualcomm and MediaTek mobile chipsets that could have allowed hackers to take control of millions of Android devices.
As the name suggests, this flaw was in Apple’s ALAC audio format, which was introduced in 2004 and is used to deliver lossless audio over the Internet. Open-source decoders used by Qualcomm and MediaTek haven’t been updated since 2011, even though Apple has consistently updated its proprietary version to address security flaws.
For an estimated 95% of US Android devices, Qualcomm and MediaTek supply mobile chipsets.
Device for remote bugging
An out-of-bounds vulnerability was present in the buggy ALAC code, allowing it to access data stored outside the scope of the allocated memory. This flaw might be exploited by hackers to compel the decoder to run malicious code that would otherwise be inaccessible.
Using a malformed audio file, an attacker could execute code on an affected mobile device using the ALAC flaws discovered by Check Point’s researchers, the company stated on Thursday. Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. If an RCE vulnerability is present, it can allow an attacker to take control of the user’s multimedia data, including video streaming from a compromised machine’s camera.”
If the vulnerability hasn’t been fixed by 2021, it’s possible that two-thirds of all smartphones sold that year will be vulnerable to the attack.
It is possible for an unprivileged Android app to use the ALAC vulnerability (CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek) to get access to media data and the device microphone, raising the possibility of listening in on adjacent conversations and other ambient sound.
Both chipmakers submitted patches to Google or to device manufacturers last year, which in turn delivered the patches to qualified users in December. The security patch level in Android’s OS settings can be checked by users to see if their device has been patched. Having a patch level of December 2021 or later means that the device is no longer at risk of being compromised. However, security fixes are still seldom, if ever, applied to many phones, and those with a patch level before to December 2021 are still at risk.
Qualcomm and MediaTek’s open-source technology and security techniques are now under scrutiny because of this issue. It’s alarming that the two biggest chipmakers haven’t followed Apple’s lead in patching vulnerabilities in their proprietary ALAC codebases throughout the years. Additionally, it is possible that other open-source code libraries utilized by chipmakers may also be in need of an update.
It was said in a statement released by Qualcomm that
Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available.