Researchers found a security vulnerability that puts millions of Android phones using chipsets made by Qualcomm and MediaTek at risk of being infiltrated by hackers.
This security vulnerability stems from ALAC or Apple Lossless Audio Codec, an audio format that Apple launched in 2004 to provide lossless audio in iTunes. After being available open source in 2011, this codec is also widely used by non-Apple devices, including Android phones.
Over the years Apple has always updated its version of ALAC to patch security holes and other bugs. Unfortunately, a Check Point Research report says the open source version of ALAC used by Qualcomm and MediaTek has not been updated since 2011.
As a result, chipsets made by Qualcomm and MediaTek have security holes that have never been patched. Given their position in the global chip market, Check Point Research believes this vulnerability was found in two-thirds of Android phones sold throughout 2021.
According to a Check Point Research report, thanks to this vulnerability, hackers were able to use flawed audio files to carry out remote code execution (RCE) attacks.
RCE is one of the most dangerous types of exploits because these attacks can be launched without requiring physical access to the device and can be executed remotely.
"RCE attacks allow hackers to remotely execute malicious code on computers," said Check Point Research researchers, as quoted by Ars Technica, Sunday (24/4/2022).
"The impact of an RCE loophole could range from malware execution to hackers taking control of users' multimedia data, including streaming from compromised device cameras."
Not only that, this security vulnerability can also provide additional privileges for Android applications, and can be exploited by hackers to access microphones and eavesdrop on user conversations.
The good news is that Qualcomm and MediaTek have released patches to mobile phone vendors who then distribute them to users in December 2021 to patch the security gap. Check Point Research also found no evidence that the vulnerability was ever exploited by hackers.
Android users who have installed the update in December 2021 or later should be safe and won't have to worry about this loophole anymore.
But there are still many Android devices that don't receive regular security updates, and devices that haven't received the December 2021 patch are still at risk of being compromised.
