Millions on Android Devices Exposed by Unpatched Apple Lossless Codec Flaw: Researchers

The flaw allowed hackers to remotely execute code, potentially allowing them to snoop on Android users.

By David Delima | Updated: 22 April 2022 19:52 IST

Highlights

Researchers found flaws with the Apple Lossless Audio Codec (ALAC)
Apple open-sourced the code for ALAC in 2011 but the flaws were unpatched
Qualcomm and MediaTek issued patches fixing the flaws in December 2021

Millions on Android Devices Exposed by Unpatched Apple Lossless Codec Flaw: Researchers

Android phones that received the December 2021 security patches are no longer vulnerable

Photo Credit: Reuters

Security flaws in an audio codec have been uncovered by security researchers, putting millions of Android phones and other Android devices powered by chipsets from MediaTek and Qualcomm at risk of being compromised by hackers. Stemming from an codec created by Apple several years ago, the vulnerabilities were left unpatched since the company open-sourced the codec 11 years ago, for inclusion on non-Apple devices. By leveraging the security flaws, an attacker could remotely get access to an Android phone's media and audio conversations, according to the researchers.

According to a report by researchers at Check Point Research, a flaw in the Apple Lossless Audio Codec (ALAC) from Apple allows an attacker to perform a remote code execution (RCE) attack on a target smartphone, after sending a malformed audio file. An RCE attack can allow the attacker to gain control of multimedia on the handset, including streaming video from the cameras, accessing media and user conversations.

The security flaws were discovered in Apple's ALAC codec, which was open-sourced by the company in 2011 — allowing non-Apple devices to stream music in ‘lossless' quality using Apple's previously proprietary codec. However, while Apple patched the proprietary version of the ALAC codec, the open-source version remained unpatched, according to the researchers.

Google Removes Six Sharkbot-Infected Apps Posing as Antivirus Apps

As a result, Qualcomm and MediaTek, chipset manufacturers who ported the vulnerable ALAC codec to their audio decoders, resulting in over two thirds of all smartphones sold in 2021 being vulnerable to the security flaws, dubbed “ALHACK”, according to the researchers. The vulnerabilities were responsibly disclosed to Qualcomm and MediaTek, who both acknowledged the issues and assigned Common Vulnerabilities and Exposures (CVE) for the flaws. MediaTek assigned CVE-2021-0674 and CVE-2021-0675 (with ‘Medium' and ‘High' ratings, respectively), while Qualcomm assigned CVE-2021-30351 (with a ‘Critical' rating of 9.8 out of 10) for the ALAC flaws, before patching them.

Android Malware That Can Record Audio, Track Location Discovered

According to the researchers, both companies have issued patches for the flaws included in the December 2021 Android security bulletin, which means that users with smartphones that received the December security patches should be safe from the vulnerabilities. However, this leaves out millions of users running outdated software, or users who receive erratic security updates — putting them at risk of being compromised by attackers.

Should you buy a 4G or 5G budget phone? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.