Critical bug could have let hackers commandeer millions of Android devices

Getty Images

Security researchers said they uncovered a vulnerability that could have allowed hackers to commandeer millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.

The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011.

Together, Qualcomm and MediaTek supply mobile chipsets for an estimated 95 percent of US Android devices.

Remote bugging device

The buggy ALAC code contained an out-of-bounds vulnerability, meaning it retrieved data from outside the limits of allocated memory. Hackers could exploit this mistake to force the decoder to execute malicious code that otherwise would be off-limits.

“The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file,” security firm Check Point said on Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.”

Check Point cited a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they’ve received a patch.

The ALAC vulnerability—tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek—can also be exploited by an unprivileged Android app to escalate its system privileges to media data and the device microphone, raising the specter of eavesdropping on nearby conversations and other ambient sound.

The two chipset manufacturers submitted patches last year to either Google or to device makers, which in turn delivered the patches to qualifying users in December. Android users who want to know if their device is patched can check the security patch level in the OS settings. If the patch level shows a date of December 2021 or later, the device is no longer vulnerable. But many handsets still don’t receive security patches on a regular basis, if at all, and those with a patch level prior to December 2021 remain susceptible.

The vulnerability calls into question the reliability of the open-source code that Qualcomm and MediaTek use and their methods for maintaining its security. If Apple can update its proprietary ALAC codebase over the years to fix vulnerabilities, it’s concerning that the two chipset behemoths haven’t followed suit. The vulnerability also raises the question of what other open-source code libraries used by the chipmakers might be similarly out of date.

In a statement, Qualcomm officials wrote:

Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available.

MediaTek didn’t immediately respond to a message.

Check Point said that it will provide technical details of the vulnerability next month at the CanSecWest conference in Vancouver.