Android security: Flaw in an audio codec left two-thirds of smartphones at risk of snooping, say researchers

Millions of Android devices were vulnerable to a remote code execution attack due to flaws in an audio codec that Apple open-sourced years ago but which hasn’t been patched since.    

Researchers at Check Point discovered a bug in Apple Lossless Audio Codec (ALAC), which is audio-compression technology that Apple open-sourced in 2011. After this, ALAC was embedded in Android devices and programs for audio playback. 

The problem, as Check Point researchers note, is that while Apple updated and patched its proprietary version of ALAC, the open-source code for ALAC hasn’t been updated since 2011 and it contains a critical flaw that allows for remote code execution. 

SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easy

A remote attacker can exploit the flaw by sending the target a malformed audio file, which allows the attacker to execute malware on an Android device. 

The flaw “could have led an attacker to remotely get access to its media and audio conversations,” the researchers said.

The bugs affect Android devices with chips from MediaTek and Qualcomm, which have both confirmed the flaws. Qualcomm patched the bug, tracked as CVE-2021-30351,

Read More: