According to Check Point Research team, this is a vulnerability in the ALAC format — Apple Lossless Audio Codec — which was introduced by Apple in 2004 for the purpose of distributing lossless audio files. Apple has updated its proprietary ALAC decoder over time, whereas Qualcomm and MediaTek utilise an open-source version that hasn’t been updated since 2011.
“The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file.” — Checkpoint explained. Android apps could also have extended their rights via the vulnerability.
“The vulnerabilities were easily exploitable. A hacker could have broadcast a song (or any media file) and, when played by a victim, injected code into the privileged media service,” said Slava Makkaveev, reverse engineering & security researcher at Checkpoint.
According to Check Point, at least two-thirds of all smartphones sold in 2021 may be vulnerable to attack unless they have been patched. And in this regard, after Checkpoint informed Mediatek and Qualcomm about the vulnerabilities (CVE-2021-0674, CVE-2021-0675, CVE-2021-30351), they were closed in December 2021, and their patches were submitted to the device manufacturers and Google, which in turn made them available to users during the month of December.
The discovery of the vulnerability raises concerns not only about Qualcomm and MediaTek’s failure to keep open-source ALAC decoders up to date but also about other open-source code libraries could suffer from similar problems.