If you have an Android phone with a Qualcomm or MediaTek chipset (this semiconductor duo supplies 95% of U.S. Android devices), your device was vulnerable to a gnarly flaw that allowed hackers to hijack it.
According to Check Point investigators, this bug stems from the Apple Lossless Audio Codec (ALAC). You may be wondering, “What does Apple have to do with an Android vulnerability?”
Well, as it turned out, ALAC (an audio format that rolled out 18 years ago that introduced lossless audio over the web) has an open-source variant Qualcomm and MediaTek uses, and well, it hadn’t been updated since 2011 (h/t Ars Technica). Qualcomm and MediaTek ported this obsolete audio coding format into their audio decoders, which jeopardized countless devices.
Apple users don’t have to worry. The proprietary version of ALAC was updated over the years with several updates and patches.
How hackers could use malicious audio files to hijack Android devices
Check Point researchers uncovered that Android-based ALAC allowed attackers to use remote execution attacks (RCE) via malicious audio files. “RCE attacks allow an attacker to remotely execute malicious code on a computer,” Check Point said in its report.
Using RCE, hackers can execute malware on the victims’ device, hijack users multimedia data (e.g. stream from a compromised machine’s camera), gain access to victims’ media data and conversations, and more.
Fortunately, Check Point disclosed its research findings to Qualcomm and MediaTek; the vulnerabilities are now fixed. Both semiconductor companies released patches for the ALAC flaw as of December 2021.
We can now breathe a sigh of relief over the ALAC vulnerability patch, but Ars Technica raised a spine-tingling question I’ll leave you to mull over: “What other open-source libraries used by the chipmakers might be similarly out of date?”
Check Point investigators said they’ll delve deeper into the technical details behind this audio codec vulnerability at the CanSecWest Conference in Vancouver.