It is revealed that two-thirds of Android smartphones shipped in 2021 had a vulnerability that could access voice from the outside


Apple Lossless Audio Codec (ALAC) audio codec built into Android smartphones is vulnerable to the risk of remote code execution on nearly two-thirds of smartphones shipped in 2021. It became clear that there was. At the time of the press, the problem has already been fixed.

Largest Mobile Chipset Manufacturers used Vulnerable Audio Decoder, 2/3 of Android users' Privacy around the World were at Risk --Check Point Software were-at-risk /

ALAC, which is used in iTunes etc., is an audio coding format originally developed by Apple and was open sourced in 2011. Since then, ALAC has been incorporated into many non-Apple audio playback devices and programs, including Android smartphones and media players and converters for Linux and Windows.

Apple has updated its own version of the decoder multiple times to fix security issues and patch it, but the shared code hasn't been patched since 2011. It's now clear that the vulnerable ALAC code without this patch has been ported to smartphone audio decoders by two of the world's largest mobile chipset makers, Qualcomm and MediaTek.

According to a study by cybersecurity company Check Point Research, the ALAC code in question was vulnerable to an attacker's ability to perform a remote code execution attack on a mobile device via a malformed audio file. This allowed an attacker to remotely execute malicious code on a computer to execute malware, access the camera, etc., and use an unprivileged Android app to access media data and user conversations. There was a possibility.

MediaTek and Qualcomm chipsets gained a total 67% share in the second quarter of 2021, all of which are believed to have been vulnerable. Check Point Research has already disclosed information to both companies, and MediaTek released a fix patch for CVE-2021-0674 and CVE-2021-0675, which are vulnerabilities corresponding to this report, in December 2021 and Qualcomm. Also released a fix patch for CVE-2021-30351 for the corresponding vulnerability in December 2021.

in Mobile,   Software,   Security, Posted by log1p_kr