As of the end of last year, 67% of Android phones were vulnerable to a remote attack

Share This Post

Researchers at Israeli security firm Check Point Research discovered that attackers could use the vulnerabilities to execute a remote code execution (RCE) attack. Check Point wrote in its blog that “The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.” Additionally, an unprivileged Android app could use its vulnerabilities to escalate its privileges gaining access to media data and user conversations.

Late last year, a pair of vulnerabilities identified in Qualcomm and MediaTek chipsets were finally patched, but not before an attacker had access to media and audio conversations on two-thirds of Android handsets. The Apple Lossless Audio Codec (ALAC), which enables for lossless data compression of digital audio streams, is used by both Qualcomm and MediaTek. Apple declared ALAC open-source little over a decade ago, allowing it to be utilised on non-Apple devices like Android phones. Several updates have been made, however it had not been patched since 2011.

Highlights

  • Check Point passed the information it had gathered to both Qualcomm and MediaTek. The latter “awarded” two Common Vulnerabilities and Exposures vulnerability numbers, CVE-2021-0674 and CVE-2021-0675, to the ALAC vulnerabilities which had already been fixed by MediaTek and published in the December 2021 MediaTek Security Bulletin. Qualcomm released a patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

  • Qualcomm and MediaTek chips were affected by the vulnerabilities – 67% of Android phones were at risk for a remote attack until late last year. Qualcomm and MediaTek chips were affected by the vulnerabilities. Check Point Research has discovered that Qualcomm and MediaTek ported vulnerable ALAC code into their audio decoders which it says are used on over half of all smartphones worldwide. Check Point notes that the latest IDC numbers show that a leading 48.1% share of all Android phones in the states are equipped with a MediaTek chipset with 47% using Qualcomm.

Security researcher Slava Makkaveev, who discovered the vulnerabilities along with Netanel Ben Simon, said, “The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone.”

spot_img

Related Posts

In response to Roe v. Wade, Google writes to its staff

In response to the ruling, Google has issued a...

The Black Phone’s ending was changed at the last minute

“That one was probably the one that I felt...

Chalice, communion set and laptop were taken

Kyes said of special interest is if anyone in...

Nintendo Switch will get Red Dead Redemption 2

Red Dead Redemption Coming to Nintendo Switch. First of...