A new study has revealed that a major vulnerability existed on Android devices since 2011. This new flaw was found in the audio decoder (codec) that could have given hackers access to the device’s audio conversations as well as its media. The study claimed that two-thirds of all smartphones sold in 2021 are vulnerable to this attack.
according to Study Published by the world’s two largest mobile chipset makers, Check Point, MediaTek and Qualcomm, use ALAC audio coding in their widely distributed mobile handsets. It put the privacy of millions of Android users at risk. The report claims that Qualcomm and MediaTek have acknowledged the vulnerabilities, and rolled out patches and fixes in response.
Apple’s role in newly discovered vulnerability
Apple Lossless Audio Codec (ALAC), also known as Apple Lossless, is an audio coding format developed by Apple Inc. and first introduced in 2004 for lossless data compression of digital music.
In late 2011, Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, Linux and Windows media players, and converters.
Since then Apple has been updating the proprietary version of the decoder several times, fixing and patching security issues, but the shared code hasn’t been patched since 2011. Many third-party vendors use code supplied by Apple as the basis for their own ALAC. implementations, and it’s fair to assume that many of them don’t maintain external code.
Check Point claims that Qualcomm and MediaTek have ported vulnerable ALAC codes to their audio decoders, which are used in more than half of all smartphones worldwide.
How the flaw could affect Android users
Check Point researchers found that the ALAC vulnerability could be exploited by an attacker to launch a remote code execution attack (RCE) on a mobile device via a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control of a user’s multimedia data, including those streaming from a compromised machine’s camera.
Additionally, an unprivileged Android app could use these vulnerabilities to elevate its privileges and gain access to media data and user conversations. The vulnerabilities were fixed by both MediaTek and Qualcomm in December 2021.
Post single fault has left Android devices vulnerable to hacking since 2011: report first appeared on BGR India.