Researchers at Israeli security firm Check Point Research discovered that attackers could use the vulnerabilities to execute a remote code execution (RCE) attack. Check Point wrote in its blog that “The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.” Additionally, an unprivileged Android app could use its vulnerabilities to escalate its privileges gaining access to media data and user conversations.
Late last year, a pair of vulnerabilities identified in Qualcomm and MediaTek chipsets were finally patched, but not before an attacker had access to media and audio conversations on two-thirds of Android handsets. The Apple Lossless Audio Codec (ALAC), which enables for lossless data compression of digital audio streams, is used by both Qualcomm and MediaTek. Apple declared ALAC open-source little over a decade ago, allowing it to be utilised on non-Apple devices like Android phones. Several updates have been made, however it had not been patched since 2011.
Qualcomm and MediaTek chips were affected by the vulnerabilities – 67% of Android phones were at risk for a remote attack until late last year. Qualcomm and MediaTek chips were affected by the vulnerabilities. Check Point Research has discovered that Qualcomm and MediaTek ported vulnerable ALAC code into their audio decoders which it says are used on over half of all smartphones worldwide. Check Point notes that the latest IDC numbers show that a leading 48.1% share of all Android phones in the states are equipped with a MediaTek chipset with 47% using Qualcomm.
Security researcher Slava Makkaveev, who discovered the vulnerabilities along with Netanel Ben Simon, said, “The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone.”
Check Point passed the information it had gathered to both Qualcomm and MediaTek. The latter “awarded” two Common Vulnerabilities and Exposures vulnerability numbers, CVE-2021-0674 and CVE-2021-0675, to the ALAC vulnerabilities which had already been fixed by MediaTek and published in the December 2021 MediaTek Security Bulletin. Qualcomm released a patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.