If you have an Android smartphone, chances are it has a Qualcomm or MediaTek chip. Israeli company Check Point has just released three major vulnerabilities targeting many models of smartphone chips. This vulnerability affects the audio decoders of these chips: properly exploited, it allows any hacker to remotely access files as well as a stream of audio conversations.
Which, of course, puts these devices at increased risk of hacking and espionage. Worse, these bugs combined allow arbitrary code to be executed remotely. All hackers have to do is create a malicious audio file and trick their victim into playing it. It’s easy to imagine how malicious actors with a dash of social engineering could trick targets into opening this type of file.
These three new vulnerabilities require an urgent update of your smartphone
Especially at a time when many people prefer to communicate via recorded audio messages rather than text. However, hackers also have other, more discreet ways to exploit these vulnerabilities, with potentially very worrying consequences. check point says: “The impact of the RCE vulnerability ranges from executing malware to taking control of a user’s media data – including streaming video from the device’s camera. Additionally, an unprivileged Android application is likely to exploit these vulnerabilities to gain privilege and gain access to media data and user conversations.”
The three vulnerabilities CVE-2021-0674, CVE-2021-0675 and CVE-2021-30351 essentially lie in an issue with the open-source version of the Apple Lossless Audio Codec (ALAC). This lossless audio format, also called Apple Lossless, was made open source by Apple in 2011. Qualcomm and MediaTek have since implemented the format in their hardware decoders. However, these manufacturers assume a version that has not been updated on GitHub for 11 years – since the last activity on the codec page dates from 10/27/2011.
For its part, Apple is constantly updating the proprietary version of the codec. So iPhones, iPads and Macs are not affected by the problem. Qualcomm and MediaTek were able to fill these gaps as early as December 2021. However, not all smartphone manufacturers have since pushed mandatory corrective updates. Especially for smartphones that are a few years old. Not to mention that probably not all Android users have applied the available updates.
We therefore recommend that you check if your device is up to date when in doubt – and be extra wary of non-Play Store apps and files you receive in calls, especially if you have a smartphone that isn’t more is covered by the manufacturer’s security patches.