Check Point security researchers warn that millions of Android smartphones and tablets around the world are vulnerable to malicious code attacks. This is due to an Apple audio codec used in legacy and vulnerable code on devices.

Apple’s Lossless Audio Codec (ALAC) is suitable for mathematically lossless compression of digital music. The codec has been around since 2004. It has been open source since 2011 and is used by many for audio playback on all platforms. So do mobile chipmakers Qualcomm and MediaTek.

malicious code attacks

Security researchers explain in a reportthat the chipmakers’ vulnerable code (CVE-2021-0674 “means, medium“, CVE-2021-0675 “high“, CVE-2021-30351 “criticalManufacturers supply about 95 percent of Android devices with chips. As a result, millions of devices are potentially at risk.

For an attack to be successful, the victim must play a crafted ALAC file. A remote attacker could execute malicious code on the devices. If that works, he could usually gain full control of the systems. Security researchers plan to provide more details about the vulnerabilities at the CanSecWest conference in May.

Check patch status

Both vendors claim to have released security patches in December 2021. For example, Google closed the Qualcomm vulnerability (CVE-2021-30351) on patch day in the same month.

If you own an Android device, you need to make sure the patch level is at least December 2021. The problem is that not all devices receive security updates and many are and remain potentially vulnerable.

(from)