Single flaw made Android devices vulnerable to hacking since 2011: Report

New research has shown that Android phones have a serious vulnerability since 2011. The new vulnerability was discovered in the Audio Decoder, which can allow hackers to access the phone’s media and audio conversations. This attack is predicted to affect two-thirds (or more) of smartphones that will be sold by 2021.

Check Point’s study found that MediaTek and Qualcomm were the largest manufacturers of mobile chipsets in the world. They used ALAC audio code in widely-used mobile phones. Millions of Android users were at risk because this posed a threat to their privacy. According to the report, MediaTek and Qualcomm acknowledged these vulnerabilities and issued patches and fixes as a response.

Apple’s involvement in this newly discovered vulnerability

Apple Lossless Audio Codec, also called Apple Lossless (ALAC), is an audio codec format that Apple Inc. developed. It was first used for digital music lossless compression in 2004.

The codec was made open-source by Apple in late 2011. The ALAC format was embedded in many non Apple audio players and programs since then. This includes Android smartphones and tablets, Linux, Windows media players, and converters.

Apple has updated the proprietary decoder multiple times since then, fixing security problems and updating it, but the shared code was not patched in 2011! Third-party vendors often use Apple’s code for their ALAC implementations. It is reasonable to suppose that they don’t maintain the shared code.

Check Point asserts that Qualcomm and MediaTek have ported the vulnerability ALAC code to their audio decoders. These devices are found in over half of all smartphone worldwide.

What could this flaw mean for Android users?

Researchers at Check Point discovered that an attacker could use the ALAC vulnerability to launch remote code execution attacks (RCEs) from a mobile device via a malformed file. An attacker can remotely execute malicious software on a computer through RCE attacks. An RCE vulnerability could result in malware execution or an attacker taking control of a user’s multimedia data. This includes streaming video from the compromised machine’s camera.

Unprivileged Android apps could also use the vulnerabilities to increase their privileges, gain access to user conversations and media data. Both MediaTek and Qualcomm fixed the vulnerabilities in December 2021.

Faqs

Conclusion

New research has shown that Android phones have a serious vulnerability since 2011. The new vulnerability was discovered in the Audio Decoder, which can allow hackers to access the phone’s media and audio conversations. This attack is predicted to affect two-thirds (or more) of smartphones that will be sold by 2021.