Android smartphones as well as smart devices running recent versions of the operating system could still be vulnerable to a security risk. Strangely, the security vulnerability stems from Apple's Lossless Audio Codec (ALAC).
Qualcomm and MediaTek chipsets collectively power about 95% percent the American Android devices. And any Android device with an Android Security Patch prior to December 2021 is currently vulnerable to an “Out-of-Bounds” security vulnerability, revealed security firm Check Point. The vulnerability could allow hackers to commandeer millions of Android devices with a MediaTek or Qualcomm chipset.
The vulnerability resides in ALAC, which is commonly referred to as Apple Lossless. ALAC is an audio format that Apple introduced way back in 2004. As the name suggests, the codec promises to deliver lossless audio over the Internet.
Although Apple designed its own proprietary version of ALAC, there exists an open-source version that Qualcomm and MediaTek rely on for Android smartphones. It is concerning to note that both the chipset manufacturers were using a version that hadn’t been updated since 2011.
In a blog post that attempts to explain the security vulnerability, Check Point writes:
The ALAC issues our researchers found could be used by an attacker for Remote Code Execution attack (RCE) on a mobile device through a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.
Qualcomm has been tracking the vulnerability with the CVE identification tag CVE-2021-30351, while MediaTek was using CVE IDs CVE-2021-0674 and CVE-2021-0675. Technical jargon aside, the bug in the open-source version of Apple Lossless can be exploited by an unprivileged Android app to escalate its system privileges to media data and the device microphone. This essentially means apps could eavesdrop not only on phone conversations but also on nearby conversations and other ambient sounds.
Both the companies submitted patches not only to Google but also to Android device manufacturers. These patches have to reach Android devices in active use through the Security Patches delivery method. Incidentally, the majority of Android devices should have received the patch in the cumulative Security Patch dated December 2021.
It is, however, concerning to note that there could be several Android devices that may not be receiving security patches on a regular basis. This means an Android device with a security patch level prior to December 2021 is currently susceptible to the security vulnerability within the open-source version of the Apple Lossless codec. To check the security patch date, head over to Settings and check for the Android version information tab. The Security Patch version is usually mentioned there.
12 Comments - Add comment