If you have an Android smartphone, it is likely to have a Qualcomm or MediaTek chip. The Israeli firm Check Point has just published three huge security flaws that target many models of smartphone chips. This security flaw affects the audio decoders of these chips: exploited correctly, it allows any hacker to remotely access files as well as a stream of audio conversations.
This obviously exposes these devices to an increased risk of hacking and eavesdropping. Worse still, taken together, these flaws allow remote arbitrary code execution. All hackers have to do is construct a malicious audio file and trick their victim into playing it. It is easy to imagine how, with a pinch of social engineering, malicious actors can trick targets into opening this type of file.
These three new flaws require you to urgently update your smartphone
Especially at a time when many people prefer to communicate via recorded audio messages rather than text. However, hackers also have other, more discreet options for exploiting these vulnerabilities, with potentially very worrying consequences. Check Point states: “The impact of the RCE vulnerability ranges from executing malware to taking control of a user’s media data – including streaming video from the device’s camera. Furthermore, an unprivileged Android application is likely to use these vulnerabilities to gain privileges and gain access to media data and user conversations”.
The three flaws, CVE-2021-0674, CVE-2021-0675 and CVE-2021-30351 essentially reside in an issue with the open source version of the Apple Lossless Audio Codec (ALAC). This lossless audio format, also called Apple Lossless, was made open source by Apple in 2011. Qualcomm and MediaTek have since implemented the format in their hardware decoder. But these manufacturers are basing this on a version that has not been updated on GitHub for 11 years – since the last activity on the codec page dates from October 27, 2011.
For its part, Apple continuously updates the proprietary variant of the codec. So iPhones, iPads and Macs are not affected by the issue. Qualcomm and MediaTek have in the meantime been able to plug these breaches as early as December 2021. However, not all smartphone manufacturers have necessarily, in the meantime, pushed corrective updates. Especially for smartphones a few years old. Not to mention the fact that not all Android users are likely to have applied the available updates.
Also Read – This gigantic security flaw endangers most Android smartphones
If in doubt, we therefore recommend that you check that your device is up to date – and take particular care with non-Play Store applications and files received in conversations, especially if you have a smartphone that is no longer covered by manufacturer’s security patches.
Par: Bitdefender