Check Point researchers have discovered that many Android devices running on Qualcomm and MediaTek chipsets are vulnerable to remote code execution due to a bugs in the Apple Lossless Audio Codec (ALAC) audio codec.
Apple Lossless Audio Codec (ALAC) was introduced by Apple in 2004, and in 2011 the company open-sourced it. After that, many other device manufacturers (besides Apple) began to use ALAC in their products. Interestingly, all these years, Apple continued to improve the proprietary version of its codec, but the open-source version has not been updated even in all 11 years.
Let me remind you, by the way, that we wrote that Mobdro streaming app turned Android devices into proxies for attackers, and also that 151 Android Apps Subscribed Users to Paid Services.
So far, Check Point experts have not released many details about the actual exploitation of the vulnerabilities they found, but they promised to present a detailed report at the CanSecWest conference, which will be held in May 2022.
According to Check Point, the vulnerability allows a remote attacker to execute code on a victim’s device, sending them a malicious audio file and tricking the user into opening it. The researchers named this attack ALHACK.
Bugs in ALAC were fixed by MediaTek and Qualcomm back in December 2021 and are being tracked as CVE-2021-0674 (CVSS score 5.5), CVE-2021-0675 (CVSS score 7.8), and CVE-2021-30351 (9.8 points on the CVSS scale).
The root of the problem is that Qualcomm and MediaTek’s ALAC implementations suffer from out-of-bounds reading and writing, as well as from incorrect validation of audio frames transmitted during audio playback. In addition to the arbitrary code execution that experts write about, such bugs can lead to information disclosure and privilege escalation without user interaction.
