Security researchers said they discovered a vulnerability that could have allowed hackers to commandeer millions of Android devices powered by mobile chipsets made by Qualcomm and MediaTek.
The vulnerability resided in ALAC – short for Apple Lossless Audio Codec and also known as Apple Lossless – which is an audio format introduced by Apple in 2004 to provide lossless audio over the Internet. While Apple has updated its proprietary version of the set-top box to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek hadn’t been updated since 2011.
Together, Qualcomm and MediaTek provide mobile chipsets for approximately 95% of US Android devices.
Remote listening device
The buggy ALAC code contained an out-of-bounds vulnerability, which means it fetched data outside the bounds of allocated memory. Hackers could exploit this error to force the decoder to execute malicious code that would otherwise be prohibited.
“The ALAC issues discovered by our researchers could be used by an attacker for a remote code execution (RCE) attack on a mobile device via a malformed audio file,” security firm Check Point said Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from executing malware to an attacker taking control of a user’s media data, including streaming from a compromised machine’s camera.
Check Point quoted a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they received a patch.
The ALAC vulnerability, identified as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek, can also be exploited by an unprivileged Android application to elevate its system privileges to media data and the microphone of the device, raising the specter of eavesdropping on nearby conversations and other ambient sounds.
Both chipset makers submitted patches last year to Google or device makers, who in turn delivered the patches to eligible users in December. Android users who want to know if their device is patched can check the security patch level in the operating system settings. If the patch level shows a date of December 2021 or later, the device is no longer vulnerable. But many handsets are still not receiving security patches on a regular basis, if at all, and those with patch levels prior to December 2021 remain susceptible.
The vulnerability calls into question the reliability of the open source code used by Qualcomm and MediaTek and their methods for maintaining its security. While Apple may update its proprietary ALAC codebase over the years to fix vulnerabilities, it’s concerning that the two chipset behemoths haven’t followed suit. The vulnerability also raises the question of what other open-source code libraries used by chipmakers might also be outdated.
In a statement, Qualcomm officials wrote:
Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend Check Point Technologies security researchers for employing industry-standard Coordinated Disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made fixes available to device manufacturers in October 2021. We encourage end users to update their devices as updates become available. security updates are available.
MediaTek did not immediately respond to a message.
Check Point said it will provide technical details on the vulnerability next month at the CanSecWest conference in Vancouver.