A recent flaw discovered by researchers in ALAC could have enabled hackers to take control of millions of Android smartphones using Qualcomm and MediaTek mobile chipsets, according to security experts. The flaw was found in ALAC—short for Apple Lossless Audio Codec and commonly known as Apple Lossless—a lossless audio codec created by Apple in 2004 for delivery over the Internet.
While Apple’s proprietary version of the decoder has been updated to address security flaws throughout the years, Qualcomm and MediaTek’s open-source versions had not updated after 2011. Qualcomm and MediaTek jointly produce mobile chipsets for an estimated 95 percent of Android handsets in the United States.
“The ALAC flaw our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file,” said security firm Check Point. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.”
The faulty ALAC code had an out-of-bounds vulnerability, which meant it could retrieve data from memory that was not allocated. Hackers could take advantage of this oversight to force the decoder to run malicious code that would otherwise be prohibited. The vulnerability—tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek can be exploited to escalate its system privileges to media data and the device microphone, raising the chances of eavesdropping on nearby conversations and other ambient sounds.
“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end-users to update their devices as security updates have become available,” said Qualcomm in a statement.
Last year, the two chipmakers submitted updates to Google or device makers, who then sent the patches to qualifying customers in December. Android owners can view the security patch level in the OS settings to see if their device is patched. The device is no longer susceptible if the patch level displays a date of December 2021 or later. Many devices, however, are still not receiving security patches regularly, if at all, and those with patch levels previous to December 2021 are still vulnerable.