Due to a weakness in the implementation of the Apple Lossless Audio Codec, security experts discovered that Android smartphones with Qualcomm and MediaTek chipsets were vulnerable to remote code execution (ALAC).
Apple open-sourced ALAC, an audio coding standard for lossless audio compression, in 2011. Since then, the firm has released upgrades to the format, including security improvements, although not all third-party vendors that use the codec have implemented these fixes.
Qualcomm and MediaTek, two of the world’s major smartphone chip producers, are among them, according to Check Point Research.
RCE’s signature sound
The researchers have not yet revealed much specifics about how the holes were exploited, but they have pledged to do so at the next CanSecWest conference in May 2022.
The vulnerability allows a remote attacker to execute malware on a target device by delivering a maliciously engineered audio file and misleading the user into opening it, according to the information provided. This attack has been dubbed “ALHACK” by the researchers.
Data breach, malware planting and execution, altering device settings, accessing hardware components such as the microphone and camera, and account takeover are all serious consequences of remote code execution assaults.
MediaTek and Qualcomm patched the ALAC weaknesses in December 2021, and they’re known as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (high severity with a 7.8 score) (critical severity with a 9.8 score).
According to the researchers, Qualcomm and MediaTek’s ALAC decoder implementations include potential out-of-bounds reads and writes, as well as erroneous validation of audio frames delivered during music playing.
Information might be disclosed and privileges could be elevated without the need for user participation.
Qualcomm was contacted by BleepingComputer for comment on the current danger to customers. The following is a statement from a business spokesperson:
Qualcomm Technology makes it a priority to develop technologies that offer strong security and privacy. We applaud Check Point Technologies’ security researchers for employing industry-standard coordinated disclosure techniques. Qualcomm Technologies made fixes available to device makers in October 2021 for the ALAC audio decoder bug they revealed. End users are encouraged to upgrade their devices as soon as security updates become available.
The problems in audio codecs case
Almost every monthly Android security release includes fixes for remote code execution problems in closed-source audio processing modules.
Exploiting them, on the other hand, is rarely simple, and the component suppliers disclose little technical details to decrease the danger of exploitation.
In April’s Android updates, for example, nine serious vulnerabilities in closed-source components were addressed. CVE-2021-35104 (9.8 severity score) is a buffer overflow that resulted in incorrect header parsing while playing FLAC audio snippets.
The problem affected chipsets in practically every Qualcomm device produced in the last several years.
How to Keep Yourself Safe
Keep your devices up to date, which in this instance implies operating the Android patch level “December 2021” or later.
Installing a third-party Android distribution that still offers Android fixes is a viable solution if the device no longer receives security updates from the OEM.
Finally, it is advisable not to open audio files received from unknown or dubious sources/users because they may activate the vulnerability.
