Flaw in Audio Format Exposed Millions of Android Phones to Remote Hacking

pcmag.com:

Security researchers have uncovered a flaw in an audio coding format that could’ve been exploited to help hackers remotely attack Android phones simply by sending a malicious audio file. 

The flaw involved the Apple Lossless Audio Codec (ALAC), according to security firm Check Point, which uncovered the problem last year. The codec is open-sourced and used widely across non-iPhone devices, including Android smartphones. 

For years now, Apple has been updating the proprietary version of ALAC, but the open-source version has remained unpatched since 2011, according to Check Point. This led the security firm to uncover a serious vulnerability in how a pair of major companies were implementing ALAC. 

“Check Point Research has discovered that Qualcomm and MediaTek, two of the largest mobile chipset makers in the world, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide,” the security firm wrote in a blog post.

Security bulletins from Qualcomm and MediaTek indicate the flaw affected dozens of chipsets from both companies, including the Snapdragon 888 and 865, meaning millions of Android smartphones were affected.

The vulnerability could help an attacker remotely execute computer code on an Android phone by sending a maliciously crafted audio file, capable of triggering the ALAC flaw. From there, the hacker could try to install additional malware on the device or attempt to access the camera. 

Existing mobile apps could also exploit the flaw to gain access to an affected Android smartphone’s media folder without asking the user for permission, according to Check Point. 

The good news is that Qualcomm and MediaTek patched the flaw in December after the problem