In what could have been a privacy disaster for Millions of Android users, a research “ALHACK” claims that two third of the smartphones sold in 2021 were vulnerable. Read the story to know more.
For the lossless data compression of digital music, an audio coding format called Apple Lossless Audio Codec (ALAC), popularly known as Apple Lossless was introduced in 2004.
From its inception, 2004, to 2011 it was closed source. After Apple made the codec open source in 2011, this format has been used in many non-Apple audio playback devices and programs which includes Android-based smartphones, Linux and Windows media players and converters.
Post this the proprietary version of the decoder has been updated by Apple giant several times. They have fixed and patched security issues. Notably, the shared code has not been patched since 2011.
As a base of their own ALAC implementations, many 3rd party vendors use the Apple-supplied code. It is fair to assume that many of them do not maintain the external code.
Two of the largest mobile chipset makers in the world, Qualcomm and MediaTek ported the vulnerable ALAC code into their audio decoders said Check Point Research. It is these very decoders that are used in more than half of the smartphones.
As of Q4 2021, 48.1% of all Android phones sold in the US are powered by MediaTek and 47% by Qualcomm.
The Threat
There are some issues with ALAC. Through a malformed audio file, it could be used by an attacker for remote code execution attack (RCE) on a mobile device. These RCE attacks allow an attacker to remotely execute malicious code on a computer.
The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.
Its not just that, but an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.
Responsible disclosure
Working closely in collaboration with MediaTek and Qualcomm to make sure these vulnerabilities were fixed, Check Point Research responsibly disclosed the information to both.
MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.