Critical bug could have let hackers commandeer millions of Android devices

Critical bug could have let hackers commandeer millions of Android devices
Getty Images

reader comments
70 with 49 posters participating

Security researchers said they uncovered a vulnerability that could have allowed hackers to commandeer millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.

The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011.

Together, Qualcomm and MediaTek supply mobile chipsets for an estimated 95 percent of US Android devices.

Remote bugging device

The buggy ALAC code contained an out-of-bounds vulnerability, meaning it retrieved data from outside the limits of allocated memory. Hackers could exploit this mistake to force the decoder to execute malicious code that otherwise would be off-limits.

“The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file,” security firm Check Point said on Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.”

Check Point cited a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they’ve received a patch.

provide technical details of the vulnerability next month at the CanSecWest conference in Vancouver.