Android devices at risk of RCE due to unpatched Apple codec

Android Devices Mobile Phone RCE Remote Code Execution Unpatched Apple Codec Vulnerability

Several Android gadgets operating on Qualcomm and MediaTek chipsets were at risk against remote code execution (RCE) after security experts found vulnerabilities in the Apple Lossless Audio Codec (ALAC) implementation.

Apple Lossless Audio Codec or ALAC is a tool provided by Apple, an audio coding format for lossless audio compression, made available in 2011. Since its launch, the tech giant has been releasing updates and patches to the codec, but many vendors utilising the codec in their products do not apply the provided fixes.

Two of the vendors discovered failing to apply the codec patches include Qualcomm and MediaTek; both are large smartphone chip manufacturers worldwide.

 

Despite providing limited details about the flaws, researchers explained that the critical bugs in Apple’s codec allow hackers to remotely launch code on a targeted device, an attack technique also known as RCE.

 

In the RCE attack, dubbed ‘ALHACK,’ the remote hacker sends a malicious audio file to its victim and tricks them into opening it. The experts mentioned several implications that the RCE attack could inflict on its victims, including data breach, malware-dropping, modifying their device settings and hardware components, and ultimately taking over the compromised device.

After discovering the ALAC critical flaws, MediaTek and Qualcomm immediately fixed and tracked them as CVE-2021-0674, CVE-2021-0675, and CVE-2021-30351.

The researchers reached out to Qualcomm for a statement regarding the issue, to which the firm responded and explained that they had made patches for the vulnerability and highly encouraged their users to update their devices since security developments are now available.

Even though the RCE flaws are being found in closed-source audio processing units in almost every Android security monthly update, experts say there is still a little chance for hackers to abuse it. Moreover, the vendors associated with the flaws have always released fixes for the discovered bugs, reducing exploitation risks.

Nevertheless, it is still strongly advised for Android device users to keep their devices up-to-date and be aware of the latest security fixes that their merchants are releasing. Also, users must be careful about accepting suspicious files from unfamiliar sources, and it is best not to open them to avoid possible security risks.

About the author

Leave a Reply