Millions of Android devices were vulnerable to a remote code execution attack due to flaws in an audio codec that Apple open-sourced years ago but which hasn’t been patched since.
Researchers at Check Point discovered a bug in Apple Lossless Audio Codec (ALAC), which is audio-compression technology that Apple open-sourced in 2011. After this, ALAC was embedded in Android devices and programs for audio playback.
The problem, as Check Point researchers note, is that while Apple updated and patched its proprietary version of ALAC, the open-source code for ALAC hasn’t been updated since 2011 and it contains a critical flaw that allows for remote code execution.
A remote attacker can exploit the flaw by sending the target a malformed audio file, which allows the attacker to execute malware on an Android device.
The flaw “could have led an attacker to remotely get access to its media and audio conversations,” the researchers said.
The bugs affect Android devices with chips from MediaTek and Qualcomm, which have both confirmed the flaws. Qualcomm patched the bug, tracked as CVE-2021-30351, in its December security update. MediaTek also addressed the ALAC issues, tracked as CVE-2021-0674 and CVE-2021-0675, in its December security update.
Qualcomm gave CVE-2021-30351 a “critical” rating with a severity score of 9.8 out of a possible 10.
“An out of bound memory access can occur due to improper validation of number of frames being passed during music playback,” Qualcomm says in its advisory.
MediaTek rated CVE-2021-0675 as a “high” severity elevation of privilege bug due to “improper restriction of operations within the bounds of a memory buffer in alac decoder”. It affects dozens of MediaTek chips used in devices running Android versions 8.1, 9.0, 10.0, and 11.0, according to MediaTek.
“In alac decoder, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” it notes.
MediaTek says CVE-2021-0674 is a “medium” severity rating that “could lead to local information disclosure with no additional execution privileges needed.” Again, user interaction is not needed for exploitation.
How many Android devices are vulnerable depends on how many people have installed firmware updates in which the flaws are fixed. But the two chipmakers are the largest vendors behind system on chips used in Android devices sold in the US and around the world.
Check Point estimates that two-thirds of all smartphones sold in 2021 are vulnerable to what it calls “ALHACK”.
Google did release a patch for the Qualcomm bug and MediaTek’s CVE-2021-0675 in its December 2021 update. However, it’s still up to each Android handset manufacture to roll out patches at their own pace.
Check Point plans to reveal more details about the flaws at the CanSecWest security conference next month.