67% of Android phones were at risk for a remote attack until late last year

A trio of vulnerabilities discovered in Qualcomm and MediaTek chipsets were finally patched late last year, but not before two-thirds of Android handsets were at the risk of having an attacker gain access to media and audio conversations. Both Qualcomm and MediaTek employ the Apple Lossless Audio Codec (ALAC) which allows for lossless data compression of digital music streams.

Just over a decade ago, Apple made ALAC open-source allowing the format to be used on non-Apple devices including Android phones. There have been several updates but it had not been patched since 2011.

Researchers at Israeli security firm Check Point Research discovered that attackers could use the vulnerabilities to execute a remote code execution (RCE) attack. Check Point wrote in its blog that "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera." Additionally, an unprivileged Android app could use its vulnerabilities to escalate its privileges gaining access to media data and user conversations.

Check Point Research has discovered that Qualcomm and MediaTek ported vulnerable ALAC code into their audio decoders which it says are used on over half of all smartphones worldwide. Check Point notes that the latest IDC numbers show that a leading 48.1% share of all Android phones in the states are equipped with a MediaTek chipset with 47% using Qualcomm.

Check Point passed the information it had gathered to both Qualcomm and MediaTek. The latter "awarded" two Common Vulnerabilities and Exposures vulnerability numbers, CVE-2021-0674 and CVE-2021-0675, to the ALAC vulnerabilities which had already been fixed by MediaTek and published in the December 2021 MediaTek Security Bulletin. Qualcomm released a patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Security researcher Slava Makkaveev, who discovered the vulnerabilities along with Netanel Ben Simon, said, "The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone."