Millions of Android smartphones are at risk. Apple served poisoned meatballs

Before getting upset, it is good to clarify one thing: we are facing the usual dangerous error that can be exploited to create a malware or a monitoring system. There are hundreds of them, and a well-known of them is only the tip of the iceberg.

But this time it’s worth the mistake to be told about his upbringing: we’re talking about a problem that matters Qualcomm and Mediatek audio decodersAnd we know that both companies are the world’s largest Android smartphone chip makers. Estimated More than two thirds of the world’s phones are at risk – a huge number.

IPhones are excluded, very few updated Android phones are excluded. For all the others there is not much to do, especially for the older ones who will never be updated.

The flaw can be exploited in a simple way: using an audio file. Sending an audio file to your Android device that file, and just the system trying to do the preview or trying to play it, may trigger a code that allows you to access your DSP data remotely. The phone’s DSP handles audio, microphones, and camera streams, which means that the phone can potentially turn into a streaming system. According to Check Point, the vulnerability could also be exploited by an application created to exploit this bug: It can increase privileges and access to audio and video streams that pass through various DSPs.

What does Apple have to do with all this? The vulnerability is related to the Apple Lossless Audio Codec (ALAC), also known as Apple Lossless. ALAC is an audio coding format developed by Apple and introduced in 2004 for lossless digital music compression. In late 2011, Apple made the codec open source The ALAC format has since been incorporated into many non-Apple audio devices and drivers, including Android smartphones, Linux and Windows media players, and converters.

The weakness of Mediatek and Qualcomm processors is a flaw in Apple’s ALAC format software decoder. Apple is responsible for all of this: ALAC released it as “open source” but since 2011 it has continued to work and improve coding in its own repository, and fill every possible security vulnerability. The open source version was not maintained by anyone, not by Apple who only cared about its version or by outside contributors: since 2011 the open version decoder has not been patched. The ALAC decoder used by Apple is secure, the others’ decoder is not.

And so Qualcomm and Mediatek inserted the vulnerability into their driver builds, although when they realized this in October 2021, they took steps to close the bug. Again, this is contradictory, Lock it up in their buildingsthe open repository source code still has the security bugs.

The flaw was flagged by Qualcomm as CVE-2021-30351 and Mediatek as CVE-2021-0674 and CVE-2021-0675, and someone actually corrected it: OPPO, for example, Fixed with December patches While Samsung has included it in the January patches even if it specifies that it’s not related to some Samsung devices, those with Exynos: they probably use another type of decoder.