Android security flaw rooted in Apple’s lossless audio codec

Recently, Android devices have been exposed to security vulnerabilities, but the root cause comes from Apple’s lossless audio codec (ALAC). Currently, 95% of Android devices in the U.S. market come from Qualcomm and MediaTek. Security company Check Point pointed out that devices that have not yet installed the December 2021 Android Security Patch have “Out-of-Bounds” security vulnerabilities and are easily controlled by hackers.

The vulnerability exists in ALAC, commonly known as the Apple Lossless Audio Codec. ALAC is an audio format introduced by Apple as early as 2004. As the name suggests, the codec promises lossless audio over the internet.

While Apple designed its own proprietary version of ALAC, an open-source version exists that Qualcomm and MediaTek rely on in Android smartphones . Notably, both chipset makers are using a version that hasn’t been updated since 2011.

In a blog post attempting to explain the security flaw, Check Point wrote:

The ALAC issue identified by our researchers can be used by attackers to conduct Remote Code Execution (RCE) attacks on mobile devices via malformed audio files. RCE attacks allow attackers to remotely execute malicious code on a computer. The impact of the RCE vulnerability ranges from the execution of malware to the attacker gaining control of a user’s multimedia data, including streaming media from the camera of the attacked machine.

Qualcomm has been tracking the vulnerability with the CVE identification tag CVE-2021-30351, while MediaTek has used the CVE IDs CVE-2021-0674 and CVE-2021-0675. Technical jargon aside, a vulnerability in the open-source version of Apple’s NDT could be exploited by an unprivileged Android app to escalate its system privileges to media data and device microphones. This basically means that the app can not only eavesdrop on phone conversations, but also nearby conversations and other ambient sounds.